US20110208866A1 - Advanced network characterization - Google Patents
Advanced network characterization Download PDFInfo
- Publication number
- US20110208866A1 US20110208866A1 US13/004,821 US201113004821A US2011208866A1 US 20110208866 A1 US20110208866 A1 US 20110208866A1 US 201113004821 A US201113004821 A US 201113004821A US 2011208866 A1 US2011208866 A1 US 2011208866A1
- Authority
- US
- United States
- Prior art keywords
- network
- networks
- block
- information
- connection agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/04—Protocols specially adapted for terminals or networks with limited capabilities; specially adapted for terminal portability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/75—Indicating network or usage conditions on the user display
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/50—Secure pairing of devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/24—Negotiation of communication capabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/66—Trust-dependent, e.g. using trust scores or trust relationships
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/18—Selecting a network or a communication service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Definitions
- Embodiments of the inventive subject matter relate generally to the field of telecommunications, and more particularly to the field network connectivity.
- broadband networks such as free networks, enterprise networks, public hotspots, hotel broadband networks, home networks, etc.
- These networks typically provide extensive connectivity and high data transfer rates.
- the availability of numerous networks can pose security risks and management difficulties. For example, attackers can set-up rogue network access points that appear to provide access to legitimate networks. In the course of providing access to illegitimate networks, the attackers may have an opportunity to steal data, delete data, spread viruses, etc.
- connection clients For connecting with multiple networks. As result, connecting to different networks is rarely seamless and often requires user intervention. Having numerous connection clients can consume considerable system resources and often causes user confusion and frustration. As a result, there is a need for a system for securely and easily connecting to networks.
- FIG. 1 is a conceptual diagram illustrating operations of a connection agent, according to some embodiments of the invention.
- FIG. 2 is a block diagram illustrating a system in which connection agents connect computing devices to networks, according to some embodiments of the invention.
- FIG. 3 is a block diagram illustrating components of a connection agent, according to example embodiments of the invention.
- FIG. 4 is a flow diagram illustrating operations for detecting, classifying, characterizing, and connecting to networks, according to some embodiments.
- FIG. 5 is a block diagram illustrating a graphical user interface, according to some embodiments of the invention.
- FIG. 6 is a flow diagram illustrating operations for classifying networks, according to some embodiments of the invention.
- FIG. 7 is a flow diagram illustrating operations for characterizing Wi-Fi networks, according to some embodiments of the invention.
- FIG. 8 is a flow diagram illustrating operations for characterizing a network based on network-layer interactions, according to some embodiments of the invention.
- FIG. 9 is a flow diagram illustrating operations for characterizing 3G networks, according to some embodiments of the invention.
- FIG. 10 is a flow diagram illustrating operations for characterizing 4G networks, according to some embodiments of the invention.
- FIG. 11 is a flow diagram illustrating operations for characterizing Ethernet and digital subscriber line (DSL) networks, according to some embodiments of the invention.
- FIG. 12 is a flow diagram illustrating operations for characterizing dial-up, GSM, ISDN, and PHS networks, according to some embodiments of the invention.
- This document describes techniques for classifying and characterizing networks before connecting to the networks. This description of the embodiments is divided into four sections. The first section provides an introduction to some embodiments of the inventive subject matter, while the second section describes components included in some embodiments. The third section describes operations performed by some embodiments. The fourth section provides some general comments.
- connection agents may detect numerous networks available for connection. Some of the available networks may pose unacceptable security risks. For example, certain networks may be known for having poor security (e.g., allowing anyone to access the networks without authentication). In other instances, attackers may be operating imposter networks that appear to be known, safe networks. In reality, the imposter networks lure users to connect, so attackers can steal data, steal authentication information, destroy data, spread viruses, or perform other harmful operations.
- connection agents glean information about networks by probing the networks, but without connecting to the networks.
- connection agents may perform operations to determine what authentication protocol is used by a network. Using the information gleaned from probing, the connection agents can avoid connecting to potentially harmful networks. For example, if a network's authentication protocol differs from an expected protocol, the connection agent can assume the network is unsafe, and thus avoid connecting to that network.
- probing has many benefits, some networks may interpret certain probing operations as potentially harmful. These networks may respond by taking remedial action, such as by locking-out devices performing suspicious probing. Because some probing can cause lock-outs and other undesired effects, embodiments of the connection agent can select probing operations that will not appear suspicious to networks (i.e., will not cause lock-outs or other conditions that limit or preclude connectivity). As a result, embodiments of the inventive subject matter reduce risks associated with network connectivity, while also avoiding problems associated with network probing. The following discussion of FIG. 1 provides more detail about some embodiments.
- FIG. 1 is a conceptual diagram illustrating operations of a connection agent, according to some embodiments of the invention.
- a laptop computer 102 includes a connection agent (not shown) capable of detecting networks that are available for connection.
- the following networks are available: a Wi-Fi network, 3G network, and ISDN network.
- the laptop's connection agent can connect to these networks via a Wi-Fi access point 104 , a 3G access point 106 , and an ISDN network 108 .
- the operations occur in five stages.
- the laptop's connection agent detects the Wi-Fi, 3G, and ISDN networks by interacting with the access points 104 , 106 , & 108 .
- the connection agent can detect any type of network, such as Ethernet networks, 4G networks, Sonet networks, etc.
- the connection agent classifies the networks based on provisioning information, and information in a venue cache.
- Provisioning information can include information that is known about the networks.
- the provisioning information may indicate the Wi-Fi network's service set identifier (SSID), basic service set identifiers (BSSIDs) for Wi-Fi access points included in the Wi-Fi network, authentication credentials, expected authentication protocols, etc.
- the connection agent can classify networks by comparing information gleaned from the networks (e.g., SSID and BSSID) with provisioning information. In some instances, as a result of classification, the connection agent determines whether a network is known (e.g., identified in the provisioning), and whether the network is trusted.
- the connection agent may detect the Wi-Fi network's SSID and BSSID, as the Wi-Fi access point 104 may periodically broadcast beacons including its SSID and BSSID. In turn, the connection agent can compare the SSID and BSSID with expected values in the provisioning information. If the SSID and BSSID match the provisioning information, the connection agent can classify the network as known and trusted.
- the connection agent's venue cache includes results from earlier classifications and characterizations. Thus, the connection agent can utilize information in the venue cache to speed-up classification and characterization. For example, if venue cache information indicates that the network's SSID and BSSID are associated with a known and trusted network, the connection agent may immediately connect to the network, skipping stages 3 & 4 . Although these examples refer to SSIDs and BSSIDs, embodiments can perform classification using any suitable network information, as discussed in more detail below.
- the connection agent presents a list of networks it has detected. As shown, the connection agent can present the network list in a graphical user interface 110 appearing on the laptop computer 102 . Based on the classification (stage 2 ), the graphical user interface 110 indicates that the Wi-Fi network, 3G network, and ISDN network are trusted networks. In some instances, a user can select any of the networks for connection. In other instances, fewer than all networks are selectable for connection (e.g., untrusted networks may not be selectable for connection). Also during stage 3 , the connection agent receives a network selection via the graphical user interface 110 .
- the connection agent characterizes the selected network by probing the network.
- the connection agent can probe the network for information without creating a network connection.
- the connection agent can probe the Wi-Fi network to determine its authentication protocol. If the network's SSID, BSSID, and authentication protocol match those stored in the provisioning information, the connection agent characterizes the network as known and trusted.
- the connection agent connects to the Wi-Fi network.
- connection agent can probe the network for information, and compare that information with provisioning information, the connection agent can reduce the risk of connecting to potentially harmful networks.
- connection agents This section describes an example operating environment and presents structural aspects of some embodiments. For example, this section includes discussion about connection agents, computing devices, and networks.
- FIG. 2 is a block diagram illustrating a system in which connection agents connect computing devices to networks, according to some embodiments of the invention.
- a system 200 includes computing devices 202 , which include connection agents 204 .
- the system 200 also includes an access point 206 , public telephone network 208 , Internet service provider (ISP) 210 , network 212 , and enterprise servers 214 .
- ISP Internet service provider
- connection agents 204 can connect the computing devices 202 to the ISP 210 , which in turn, connects the computing devices to the enterprise servers 214 .
- the ISP 210 can also enable the computing devices 202 to communicate with devices on the Internet (not shown).
- the computing devices 202 include desktop computers, notebook computers, tablet computers, personal digital assistants, mobile telephones, mobile media devices, etc. In other embodiments, one or more of the computing devices 202 can be embedded in other systems, such as automobiles, air craft, etc. The following discussion of FIG. 3 provides more details about connection agents.
- FIG. 3 is a block diagram illustrating components of a connection agent, according to example embodiments of the invention.
- the connection agent 304 includes an event unit 306 , classification unit 308 , characterization unit 310 , connection unit 315 , scoring unit 313 , and display unit 312 .
- the connection agent 304 has access to policies 314 , provisioning information 316 , certificates 318 , a venue cache 320 , and a response cache 322 .
- the event unit 306 can detect network events that indicate the presence of available networks.
- the classification unit 304 can classify networks into categories (e.g., known and unknown) and classes (e.g. trusted, untrusted, semi-trusted, etc.).
- the classification unit 308 makes determinations about network trust levels based on the provisioning information 316 and information received from networks.
- the characterization unit 310 can probe networks to make further determinations about network trust levels.
- the display unit 312 can perform operations for interacting with users, such as determining which of the available networks to display to users, processing user input, etc.
- the scoring unit 313 can determine a score for networks, where the scores are based on factors such as connection history, signal strength, network media type, etc.
- the connection unit 315 can connect the computing device 302 to networks.
- an enterprise provides the connection agent 304 to its employees to facilitate secure network connectivity across a wide geographic area.
- the connection agent 304 can facilitate secure connectivity when employees connect at an enterprise campus, when employees are travel off campus, when employees are at their homes, etc.
- the enterprise's information technology administrators may configure the policies 314 so the connection agent 304 operates at a risk level acceptable to the enterprise. Administrators and trusted parties outside the enterprise may provide the provisioning information 318 .
- the connection agent 304 uses the provisioning information 318 to determine whether networks are trusted (e.g., by comparing information received from networks to the provisioning information 318 ).
- the provisioning information 318 includes information about known networks.
- the provisioning information may indicate the network's identification information, authentication protocols, authentication credentials (e.g., passwords, certificates, etc.), access point locations (for wireless networks), dial-up telephone numbers (for dial-up networks), and other information useful for connecting to the network.
- authentication protocols e.g., passwords, certificates, etc.
- access point locations for wireless networks
- dial-up telephone numbers for dial-up networks
- the following lists show provisioning information for networks of different media types.
- the provisioning information can include records for multiple networks of the same media type.
- the provisioning information 316 is organized into network directories (a.k.a. phonebooks).
- the provisioning information 316 may include three network directories:
- all networks in a particular directory may have the same trust level.
- all networks in the campus directory may have the highest trust level (e.g., because networks in the campus directory are controlled by the enterprise).
- provisioning information for each network represented in a network directory, there is a list of provisioning information.
- a Wi-Fi network in the campus directory may have the following provisioning information: SSID, category, trust level, etc.
- the network directory in which a network is listed can affect how a network is scored and ranked (described below).
- the classification unit 308 can use the venue cache 320 to save time.
- the venue cache 320 stores authoritative network information collected during prior network connections. For example, the venue cache 320 may associate a Wi-Fi network's MAC/BSSID combination with a trust level, based on a prior connection. If the classification unit 308 encounters a network with a matching MAC/BSSID combination, it can resolve the MAC/BBSID combination to an initial trust level stored in the venue cache 320 . If the classification unit 308 uses the venue cache 320 to classify a network, it can mark a flag to indicate cache values were used to classify the network.
- the connection agent 304 updates the network's trust level, category (e.g., known or unknown), score (described below), ranking (described below), and other information. Updating may change the trust level, which may cause the connection agent to make the network inaccessible (e.g., if the updated trust level became untrusted).
- entries in the venue cache 320 may become invalid when a network is out of range for a given number of network scan cycles, when a link down event occurs, and when a network adapter is powered off.
- the characterization unit 310 can use the result cache 322 to save time, such as by avoiding certain network probes.
- network characterization entails an iterative process that repeats certain network probe operations.
- the characterization unit 310 can store results of a network probe operation in the result cache 322 , and later use those cached results instead of repeating the probe operations. Entries in the result cache 322 may become invalid for the following reasons: a corresponding network adapter is powered off or otherwise disabled, a network goes out of range or link down event occurs, an entry's time to live expires, and the characterization unit 310 forces a re-probe of the network.
- the computing devices can include any suitable processors, memory devices, storage devices, display devices, application-specific integrated circuits, and other components for carrying out operations described herein.
- inventive subject matter can be embodied as systems, methods, or computer program products. Accordingly, aspects of the present inventive subject matter may take the form of entirely hardware embodiments, entirely software embodiments (e.g., including firmware, resident software, micro-code, etc.), or embodiments combining software and hardware. Furthermore, aspects of the inventive subject matter may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
- the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
- a computer readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a portable compact disc read-only memory (CD-ROM), and an optical storage device, a magnetic storage device.
- a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
- a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof.
- a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
- Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
- FIGS. 4-6 describe operations for detecting, classifying, characterizing, and connecting to networks.
- FIG. 4 is a flow diagram illustrating operations for detecting, classifying, characterizing, and connecting to networks, according to some embodiments.
- a connection agent performs the operations shown in the flow 400 , which begins at block 402 .
- a connection agent's event unit 306 detects network events.
- the event unit 306 registers to receive events from an operating system residing on the computing device 302 .
- the connection agent 304 launches into operation, it goes inactive until the operating system reports an event.
- the operating system can detect the events at network adapters and other peripheral devices, and report the events to the event unit 306 .
- the network events can indicate that networks are available, unavailable, or that network information has changed.
- the events can include Ethernet link-up events, detection of Wi-Fi beacons, changes to Wi-Fi signal strength, user input at peripheral devices, etc.
- the flow continues at block 404 .
- the connection agent 204 iteratively processes each of the network events by performing operations shown at blocks 404 , 406 , and 408 .
- the connection agent's classification unit 308 classifies a network associated with the latest network event.
- the classification unit 308 can use information that was received from the network without probing the network.
- the type of information received from the network depends on the media type of the network detected. For example, for Wi-Fi networks, the connection agent may detect Wi-Fi beacons including SSIDs, BSSIDs, and other information. For 3G networks, the agent may detect a 3G network identifier. For dial-up networks, the connection agent may detect a signal (e.g., dial tone) or other information. Thus, after receiving information from/about the network, the connection agent knows the network's media type and other information (e.g., Wi-Fi SSID, 3G network identifier, etc.).
- the connection agent's classification unit 308 compares the network information against information in the provisioning information 316 .
- the classification unit 308 creates/maintains a network list including all available networks (i.e., networks detected at block 402 ).
- the network list is used later in the flow 400 .
- the operation at block 406 is described in greater detail in FIG. 6 , which shows how some embodiments classify networks. FIG. 6 will be discussed in detail below.
- the flow continues at block 408 .
- connection agent 304 determines whether there are more network events for processing (i.e., events received at block 402 ). If there are more network events, the flow continues at block 404 . Otherwise, the flow continues at block 410 .
- connection agent scores each network in the network list.
- the classification unit 308 creates a network list including the networks it has classifies.
- the connection agent's scoring unit 313 can determine a score for each network in the network list. In some embodiments, one or more of the following factors contribute to a network's score:
- each of the above-noted factors can be weighted, and then combined to constitute a network score for each network in the network list. Weights can be preset or adjustable. Some of the factors are included in the provisioning information 316 (e.g., provisioner type), whereas other factors are determined based on information received from the network (e.g., signal strength). Thus, at block 410 , the connection agent's scoring unit 313 determines a network score for each network in the network list. The flow continues at block 412 .
- the connection agent's score unit 313 ranks the network list based on the scores. For example, the network receiving the highest score may be the top-ranked network. The network rankings may descend along with network scores, where the second highest score has the second-highest rank, the third highest score has the third highest rank, and so on. In some instances, higher ranked networks are more trusted, have better signal strength, have fewer transmission errors, etc. Embodiments can employ any suitable ranking system. The flow continues at block 414 .
- connection agent's display unit 312 creates a filtered network list.
- the filtered list can include only networks that were classified as known and trusted.
- the display unit 312 does not filter the network list. The flow continues at block 416 .
- FIG. 5 is a block diagram illustrating a graphical user interface, according to some embodiments of the invention. As shown in FIG. 5 , the graphical user interface 500 presents the ranked network list. Additionally, the graphical user interface 500 indicates whether the networks are trusted, and a network media type (e.g., Wi-Fi). In some embodiments, users can select one of the networks in the graphical user interface 500 . Referring back to FIG. 4 , the flow continues at block 418 .
- a network media type e.g., Wi-Fi
- connection agent 304 detects an event. The flow continues at block 420 .
- the network agent determines whether the event is a network event or a user event. If the event is a network event, the flow continues at block 406 . If the flow continues at block 406 , the flow will not loop through blocks 404 , 406 , 408 because there is only one network event to process at block 408 —the event detected at block 418 . Thus, after classifying the network associated with the network event (block 406 ), the flow will continue through block 408 to block 410 . At block 410 , the connection agent scores the network list and proceeds through the flow 400 .
- the user event represents user input selecting a network for connection from the graphical user interface 500 .
- the connection agent 308 will not complete the connection unless it can verify more information about the network. That is, the agent 308 will not connect until it has more information corroborating trustworthiness of the network.
- the connection agent's characterization unit 310 characterizes the selected network.
- the connection agent's characterization unit 310 characterizes the selected network by probing the network for information without establishing a network connection. For example, for Wi-Fi networks, the characterization unit 310 may determine that a Wi-Fi network's authentication protocol is 802.1x.
- the characterization unit 300 can probe the Wi-Fi network by sending an identification request to the network's 8021.X server, and receiving a response from the 8021.X server. If the 8021.X server's response matches provisioning information, the characterization unit 310 may characterize the network as known and trusted.
- the connection agent 304 can make better decisions about whether a given network poses risks (e.g., viruses, data theft, etc.) without actually connecting to the network.
- connection agent performs different operations for characterizing networks depending on network type. For example, operations for characterizing Wi-Fi networks may differ from operations for characterizing Ethernet networks.
- FIGS. 7-12 describes operations for characterizing different network types. The flow continues at block 423 .
- connection agent determines whether the characterization produced a match in provisioning information. If there is no match, the flow continues at block 434 . Otherwise, the flow continues at block 424 .
- the connection agent's connection unit 315 determines whether the selected network appears safer as a result of characterization. That is, the connection unit 315 compares results of classification with results of characterization. For example, classification operation (at block 406 ) may indicate that a network is known but untrusted. After the connection agent 304 performs characterization (at block 422 ), the perceived trust level may increase (changing from trusted to untrusted), decrease (changing from trusted to untrusted), or remain the same. If the trust level is the same or increases, the flow continues at block 426 . If the trust level decreases, the flow continues at block 432 .
- connection agent's connection unit 315 connects to the network.
- the computing device 302 can communicate with other devices on the network, such as enterprise servers 204 , web servers, e-mail servers, etc.
- the flow continues at block 428 .
- the characterization unit 310 updates the venue cache 320 to include information learned from the characterization operation (at block 422 ). Such information may indicate that the network to which the connection agent is connected is known and trusted. The flow continues at block 430 .
- the characterization unit 310 performs post-connection characterization. After connecting to the network, the characterization unit 310 can learn more about whether the network is authentic. For example, the characterization unit 310 can query the provisioning information 316 to determine a list of devices (e.g., printers, storage devices, fax devices, etc.) that should be available on the network. If devices enumerated in the provisioning information 316 are available, the characterization unit 310 has more evidence supporting its determination that the network should be trusted. However, if none of the devices are available, the characterization unit 300 and may perform additional tests, or it may downgrade the trust level. Additional post-connection tests can determine whether devices, services, protocols, etc. listed in the provisioning information 316 are actually available on the network. From block 430 , the flow ends.
- devices e.g., printers, storage devices, fax devices, etc.
- the flow continues at block 432 .
- the characterization unit 310 updates the venue cache 320 to include information learned from the characterization operation (at block 422 ). Such information may indicate that the network is known and untrusted.
- the flow continues at block 434 .
- connection agent's connection unit 315 refuses connection to the network.
- the connection agent 304 refuses to connect to a network because the network's trust level is untrusted, or otherwise has a lower trust level than needed for establishing a connection. From block 434 , the flow ends.
- connection agent perform operations for classifying networks. For example, in FIG. 4 , a connection agent classifies a network at block 406 .
- FIG. 6 provides details about how some embodiments may perform network classification.
- FIG. 6 is a flow diagram illustrating operations for classifying networks, according to some embodiments of the invention. Some embodiments may perform the operations of FIG. 6 when performing the classification at FIG. 4 's block 406 .
- the connection agent detects one or more network events.
- the flow 600 describes how some embodiments characterize networks by processing those network events.
- the connection agent's classification unit 308 determines what type of network event was detected.
- the network event can be one of three types: an add event, delete event, or update event.
- An add event indicates that a network is available and should be added to a list of available networks (i.e., the network list).
- a delete event indicates that a network is no longer available, so the network should be deleted from the network list.
- An update event indicates some information about the network has changed. If the event is an add event, the flow continues at block 604 . If the event is an update event, the flow continues at block 614 . If the event is a delete event, the flow continues at block 616 .
- the classification unit 308 adds the network to a list of available networks (i.e., the network list). The flow continues at block 606 .
- the add event indicates information about a network (i.e., the network from which the add event originated).
- a network i.e., the network from which the add event originated.
- the event can include information in a Wi-Fi beacon, such as SSID, BSSID, etc.
- the event may include the 3G network's identifier.
- the event can include other information for networks of other media types.
- the classification unit 308 compares this information with information in the venue cache 320 . If there is a match in the venue cache, the flow continues at block 608 .
- the classification unit 308 determines whether the network is known and trusted based on information in the venue cache 320 . Based on previous classifications and/or characterizations, the venue cache 320 indicates a network category (e.g., known or unknown) and network trust level (e.g., trusted, untrusted, semi-trusted). From block 608 , the flow ends.
- a network category e.g., known or unknown
- network trust level
- the classification unit 308 determines whether information about the network matches provisioning information, such as information in one of the network directories (a.k.a. phone books). If the information does not match provisioning information, the flow continues at block 612 , where the classification unit 308 assigns the network category to be unknown, and the network trust level to be un-trusted. From block 612 , the flow ends.
- provisioning information such as information in one of the network directories (a.k.a. phone books). If the information does not match provisioning information, the flow continues at block 612 , where the classification unit 308 assigns the network category to be unknown, and the network trust level to be un-trusted. From block 612 , the flow ends.
- the flow continues at block 618 .
- the classification unit 308 assigns the network's category to be known, and the network's trust level to be a trust level indicated in the provisioning information (e.g., trusted). From block 618 , the flow ends.
- the classification unit 308 updates information associated with the network.
- the event may indicate a change in signal strength.
- the classification unit 308 records the signal strength change because such a change may affect scores and ranking.
- the flow continues at block 616 .
- the classification unit 308 deletes the network from the network list. As a result, the network is no longer available for connection. From block 616 , the flow ends.
- network characterization is a process by which a connection agent compares information received from a network to provisioning information that describes a network.
- the following flow diagrams show how embodiments of the invention can employ different techniques of characterization for different network media.
- FIG. 7 describes operations for characterizing Wi-Fi networks
- FIG. 9 describes operations for classifying Ethernet networks.
- FIGS. 8 & 10 - 12 include operations for characterizing other network media types.
- the connection agent when performing characterization at block 422 of FIG. 4 , the connection agent performs one or more of the following flow diagrams. The discussion continues with a description of characterizing Wi-Fi networks.
- FIG. 7 is a flow diagram illustrating operations for characterizing Wi-Fi networks, according to some embodiments of the invention.
- the flow 700 begins at block 702 , where a connection agent receives information about a Wi-Fi network.
- the information is included in a network event, which is detected at FIG. 4 's block 402 .
- the information can originate from a Wi-Fi access point, and include an SSID, Wi-Fi beacon, media type indicator, etc.
- the connection agent uses this information to classify the network, as described below.
- the flow continues at block 704 .
- connection agent tries to match the network information received at 702 with provisioning information, such as the network directories. For example, the connection agent tries to match the network information (e.g., SSID, beacon, and media type) to entries in its public directory, private director, and campus directory.
- provisioning information such as the network directories.
- the connection agent tries to match the network information (e.g., SSID, beacon, and media type) to entries in its public directory, private director, and campus directory.
- the network information e.g., SSID, beacon, and media type
- the connection agent determines whether the network information matches provisioning information. For example, the information (received at block 702 ) may match entries in the public directory, campus directory, and personal directory. In some instances, the network information matches entries in more than one directory. The connection agent creates a list including all the matching directory entries. If there is a match, the flow continues at block 708 , where the connection agent processes entries in the list. Otherwise, the flow ends.
- the flow begins a loop that processes each matching entry in the list. For example, a first pass through the loop will process a list entry that matched in the public directory, whereas a second pass through the loop will process a match in the campus directory, and so on for all list entries.
- the flow continues at block 710 .
- the connection agent determines an authentication method based on the matching provisioning information. For example, each entry in the list of matching directory entries indicates an authentication method employed by a network. The connection agent will probe the network to verify the authentication method. The connection agent probes in different ways depending on the authentication method. If the entry indicates that the network uses 8021.X, Wi-Fi Protected Access (WPA)+Temporal Key Integrity Protocol (TKIP), or WPA2+Advanced Encryption Standard (AES), the flow continues at block 711 . If the entry indicates that the network uses Wired Equivalent Privacy (WEP), the flow continues at block 718 . If the entry indicates that the network uses a pre-shared key (PSK) protocol, the flow continues at block 720 . If the entry indicates that the network is open (i.e., the network uses no authentication protocol), the flow continues at block 722 .
- WPA Wi-Fi Protected Access
- TKIP Temporal Key Integrity Protocol
- AES Advanced Encryption Standard
- the connection agent probes the network's 8021.X device. For example, the connection agent sends an ID request to the 8021.X server and receives a response.
- the connection agent can store the response in a response cache (e.g., response cache 322 ).
- the connection agent can reuse this information in future iterations of the loop. For example, when processing another entry in the list, if entry's authentication protocol is 8021.X, the connection agent can skip block 711 by using results from the result cache.
- the connection agent determines whether information included in the 8021.X server's response matches authentication information in the matching directory entry. If there is a match, the connection agent updates the list entry's network category to be known and its trust level to “trusted.” (See block 714 .) If there is no match, the connection agent updates the list entry's network category to be unknown and its trust level to untrusted. (See block 716 .) In the flow 700 , the blocks 714 and 716 continue at block 728 .
- the connection agent associates with the network using a WEP key included in the provisioning information (e.g., the matching directory entry).
- the connection agent can store information about associating with the network in the result cache. The flow continues at block 722 .
- the connection agent attempts to associate with the Wi-Fi network using a pre-shared key indicated in the provisioning information (e.g., the matching network directory entry).
- the connection agent can store information about associating with the network in the result cache. The flow continues at block 722 .
- connection agent moves to block 726 , where it performs more characterization at the network layer (i.e., layer 3 ) of the OSI stack. For more information about performing more characterization of the network layer, see the discussion of FIG. 8 below.
- the connection agent moves to block 724 , where it removes the network entry from the list of matching network entries.
- the flow continues at block 728 , where the connection agent determines whether there are more matching network entries to process. If so, the flow 700 loops back to 708 . Otherwise, the flow ends.
- the network information received at block 702 may match multiple entries in the network directories.
- the connection agent creates a list of matching entries, and then processes the list. After the flow 700 , the list may include more than one entry.
- the connection agent may select and return one entry from the list, where the selected entry indicates a category and trust level for the network. The selection process can consider security policies and other factors.
- the connection agent selects the list entry indicating the highest trust level (e.g., a network that is known and trusted).
- block 722 performs characterization operations at layer 3 (i.e., the network layer) of the network.
- layer 3 i.e., the network layer
- FIG. 8 describes how some embodiments may perform network-layer characterization. This discussion continues with a description of FIG. 8 .
- FIG. 8 is a flow diagram illustrating operations for characterizing a network based on network-layer interactions, according to some embodiments of the invention.
- a flow 800 begins at block 802 , where a connection agent (or another component) acquires an Internet Protocol (IP) address.
- IP Internet Protocol
- the flow continues at block 804 .
- the connection agent cannot acquire an IP address, the flow ends.
- connection agent probes a network server. For example, the connection agent sends an HTTP request to a known server, such as a server maintained by iPass, Inc. of Redwood City, Calif. In some embodiments, the server is guaranteed to be online and not cached.
- a known server such as a server maintained by iPass, Inc. of Redwood City, Calif.
- the server is guaranteed to be online and not cached.
- the flow continues at block 806 .
- the connection agent determines whether the probe was redirected to a gateway. For example, the connection agent's HTTP request may have been redirected to a gateway that performs authentication before allowing access to the Internet. If the network probe was redirected, the flow continues at block 808 . Otherwise, the flow continues at block 816 .
- the connection agent determines whether the gateway supports Generic Interface Specification (GIS). In some instances, the connection agent and gateway exchange HTML documents. The connection agent can detect GIS support by detecting an HTML tag associated with GIS. If the gateway supports GIS, the flow continues at block 810 . If the gateway does not support GIS, the flow continues at block 824 .
- GIS Generic Interface Specification
- the connection agent determines whether the gateway supports location discovery.
- Location discovery is a function by which the connection agent transmits a “dummy” authentication request to the gateway.
- the gateway responds to the dummy authentication request with location information, such as street address, company name, telephone number, or other information about the network and its location. If the gateway supports location discovery, the flow continues at block 812 . If the gateway does not support location discovery, the flow continues at block 826 . In yet another possibility, if the connection agent itself does not support location discovery, the flow continues at block 824 .
- the connection agent determines whether provisioning information indicates that the network is listed in the public directory, and that the network is GIS-enabled. If the provisioning information indicates the network is listed in the public directory and GIS-enabled, the flow continues at block 814 . Otherwise, the flow continues at block 828 .
- the connection agent determines that the network is a trusted, public network.
- the connection agent determines that the network is un-trusted and unknown. From blocks 814 and 828 , the flow ends.
- connection agent determines whether the network is listed in the personal directory, and the network's BSSID matches provisioning information. If not, the connection agent determines a network is unknown and un-trusted (see block 828 ). Otherwise, the flow continues at block 820 . At block 820 , the connection agent determines whether the network's subnet mask and gateway IP address match provisioning information. If so, the connection agent assigns the category and trust level to be those indicated in the provisioning information (e.g., known and trusted) (see block 822 ). However, if the addresses do not match, the flow continues at block 828 , where the connection agent determines that the network is unknown and un-trusted.
- provisioning information e.g., known and trusted
- connection agent determines whether it has received content from the website that it probed. For example, the connection agent determines whether it has received content from the iPass website. If the connection agent received content from the website that it probed, the flow continues at block 818 . At block 818 , the connection agent determines whether the network is not GIS-enabled and not click-through-enabled. If so, the flow continues at block 828 , where the connection agent determines a network is un-trusted and unknown. Otherwise, the flow continues at block 820 (see description of block 820 above).
- connection agent determines whether the website is click-through-enabled. If so, the flow continues at block 820 . Otherwise, the flow continues at block 822 .
- the operations at blocks 820 and 822 are described above.
- connection agent After completing the flow 800 , the connection agent has performed operations for characterizing the network based on interactions at the network layer. In some embodiments, the connection agent uses results from the network-layer characterization in other characterization flows, such as the flow for characterizing a Wi-Fi network (see block 722 of FIG. 7 ).
- FIG. 9 is a flow diagram illustrating operations for characterizing 3G networks, according to some embodiments of the invention.
- a flow 900 begins at block 902 , where a connection agent detects 3G information for one or more 3G networks.
- the information can include a provider identifier, network identifier, etc.
- the connection agent attempts to match the 3G information to entries in the public directory.
- the connection agent creates a list of one or more directory entries that match the 3G network information.
- the flow continues at block 904 .
- the connection agent determines whether the computer's 3G adapter is configured to connect to a preselected 3G network.
- 3G network providers configure 3G network adapters to automatically connect upon detecting the provider's 3G network identifier. Thus, when operational in the field, such adapters automatically connect to particular 3G networks.
- the connection agent determines that the network to which the adapter connected is a public, trusted network. Thus, the connection agent modifies the list entry (i.e., the entry in the list created at block 902 ) to indicate that the 3G network is a public, trusted network. From block 910 , the flow ends.
- the connection agent determines whether the 3G information, received at block 902 , matches provisioning information. For example, for each entry in the list, the connection agent compares a provider identifier and network identifier to provisioning information. If the information matches, the connection agent determines the 3G network is a public, trusted network (see block 910 ). If the information does not match, the connection agent determines the 3G network is an unknown, untrusted network.
- the network information detected at block 902 may match multiple entries in the public directory.
- the connection agent creates a list of matching entries, and then processes the list.
- the list may include more than one entry.
- the connection agent may select and return one entry from the list, where the selected entry indicates a trust level and category for the network.
- the trust level and category are used in the flow 400 of FIG. 4 (e.g., at block 424 ).
- the selection process may consider security policies and other factors.
- the connection agent selects the list entry having the highest trust level (e.g., a network that is known and trusted) and returns that list entry.
- the following flows can also make similar selections.
- FIG. 10 is a flow diagram illustrating operations for characterizing 4G networks, according to some embodiments of the invention.
- the flow begins at block 1002 , where the connection agent detects information about one or more 4G networks.
- the 4G network information can include an SSID, network identifier, etc. the flow continues at block 1004 .
- connection agent matches the 4G network information with provisioning information.
- the connection agent compares the 4G information to the public directory.
- the connection agent creates a list of matching directory entries. The flow continues at block 1006 .
- connection agent begins a loop in which it will process each matching entry in the list.
- the flow continues at block 1008 , where the connection agent probes and 8021.X device.
- the connection agent attempts to authenticate with an 8021.X server, using provisioning information (e.g., a password from the directory entry).
- provisioning information e.g., a password from the directory entry.
- connection agent determines whether the authentication information was accepted by the 8021.X server. If so, the flow continues at block 1012 .
- the connection agent determines that the network is a public, trusted network.
- connection agent determines that the network is unknown and untrusted (see block 1016 ). From block 1016 , the flow continues at block 1014 , where it ends if it has reached the end of the list of matching directory entries. If there are more matching directory entries to process, the flow continues at block 1006 . After performing the flow 1000 , the connection agent can select one of the list entries to return, such as for processing in the flow 400 of FIG. 4 .
- the flow diagrams describe receiving or detecting network information. For example, see the operations at blocks 902 and 1002 . For such operations, some embodiments receive/detect the network information by performing operations in FIG. 4 (e.g., at block 402 ). Other embodiments perform other operations to receive or detect the network information.
- FIG. 11 is a flow diagram illustrating operations for characterizing Ethernet and digital subscriber line (DSL) networks, according to some embodiments of the invention.
- a flow 1100 begins at block 1102 , where a connection agent detects information about one or more Ethernet and DSL networks. The flow continues at block 1104 .
- the connection agent searches provisioning information for matching networks. For example, the connection agent may search the personal directory, campus directory, and public directory for network entries associated with Ethernet and DSL networks. In some instances, the connection agent looks for directory entries that have a media type of Ethernet (or DSL), and that support 8021.X or PPP. In turn, the connection agent creates a list of matching directory entries. The flow continues at block 1106 .
- the flow 1100 performs a loop that processes each of the matching directory entries in the list.
- the flow continues at block 1108 .
- the connection agent determines, based on provisioning information, whether the network is expected to support 8021.X. If the network is expected to support 8021.X, the flow continues at block 1112 .
- the connection agent probes and 8021.X server to determine whether it will accept authentication credentials stored in the provisioning information. If the 8021.X accepts the credentials, the network's category and trust level are those indicated in the provisioning information (see blocks 1120 and 1122 ).
- connection agent assigns the network's category to public and trust level to trusted. If the 8021.X server does not accept the authentication information, the connection agent assigns the network's trust level to untrusted and category to unknown (see blocks 1120 and 1124 ). Blocks 1120 and 1124 continue at block 1126 , which loops back to 1106 if there are more list entries to process. If there are no more list entries to process, the flow ends.
- the flow continues at block 1116 .
- the connection agent probes DSL network using authentication information in the matching list entry. If the network accepts the authentication information, the connection agent assigns the network's category and trust level based on what is in the provisioning information (i.e. the trust level and category noted in the matching list entry) (see blocks 1120 and 1122 ). Otherwise, the connection agent assigns the network entry's category to unknown, and its trust level to untrusted (see blocks 1120 and 1124 ). As noted above, blocks 1120 and 1124 continue at block 1126 . Block 1126 loops back to 1106 if there are more list entries to process. Otherwise the flow 1100 .
- the connection agent determines a network's trust level and category by interacting with the network at layer 3 (i.e., network layer). In some embodiments, the connection agent does this by performing the operations shown in FIG. 8 . If the connection agent attempts layer 3 operations but finds that no network is available (see block 1128 ), the connection agent removes the entry from the list of matching entries (see block 1130 ). From block 1130 , the flow continues at block 1126 .
- layer 3 i.e., network layer
- the connection agent removes the entry from the list of matching entries (see block 1130 ). From block 1130 , the flow continues at block 1126 .
- FIG. 12 is a flow diagram illustrating operations for characterizing dial-up, GSM, ISDN, and PHS networks, according to some embodiments of the invention. Although FIG. 12 describes operations for a plurality of network media types, for clarity, the following discussion will only refer to dial-up networks.
- a flow 1200 begins at block 1202 , where a connection agent detects information from a dial-up network.
- the connection agent may receive this information from a dial-up adapter.
- the information can includes geographical context information, such as latitude, longitude, altitude, zip code, county, country, city, state, continent, etc. In some embodiments, the geographical context information is received or otherwise determined by another device, such as a global positioning system device.
- the flow continues at block 1204 .
- connection agent creates a list of networks that have matching provisioning information. For example, the connection agent searches the public directory and campus directory for entries whose media type is dial-up, and his geographic context matches that detected at block 1202 . Although not shown, if no directory entries match, the flow ends. Otherwise, the flow continues at block 1206 .
- the flow 1200 begins a loop for processing the matching directory entries.
- the flow continues at block 1208 , where the connection agent assigns a category and trust level based on provisioning information. For example if the matching entry indicates the dial-up network is public and trusted, the connection agent assigns the category and trust level as such.
- the flow continues at block 1210 .
- connection agent has processed all entries in the list, the flow ends. Otherwise the flow continues at block 1206 .
- connection agent when the connection agent probes or otherwise interacts with a network, it can store the result in a result cache. If there are multiple directory matches, after probing for the first match, the connection agent can avoid interacting with the network by using information in the result cache.
Abstract
Description
- This application claims priority benefit to U.S. patent application Ser. No. 11/239,707, filed Sep. 29, 2005. This application is a continuation-in-part of the 11/239,707 patent application. This patent application incorporates by reference the U.S. patent application Ser. No. 11/239,707 (US Patent Publication 20070073868) in its entirety.
- A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever. Copyright 2011, iPass Inc.
- Embodiments of the inventive subject matter relate generally to the field of telecommunications, and more particularly to the field network connectivity.
- In today's computing environment, there are many broadband networks, such as free networks, enterprise networks, public hotspots, hotel broadband networks, home networks, etc. These networks typically provide extensive connectivity and high data transfer rates. However, the availability of numerous networks can pose security risks and management difficulties. For example, attackers can set-up rogue network access points that appear to provide access to legitimate networks. In the course of providing access to illegitimate networks, the attackers may have an opportunity to steal data, delete data, spread viruses, etc.
- Because of the multitude of available networks, users often resort to using multiple connection clients for connecting with multiple networks. As result, connecting to different networks is rarely seamless and often requires user intervention. Having numerous connection clients can consume considerable system resources and often causes user confusion and frustration. As a result, there is a need for a system for securely and easily connecting to networks.
- The present invention is illustrated by way of example and not limitation in the Figures of the accompanying drawings in which:
-
FIG. 1 is a conceptual diagram illustrating operations of a connection agent, according to some embodiments of the invention. -
FIG. 2 is a block diagram illustrating a system in which connection agents connect computing devices to networks, according to some embodiments of the invention. -
FIG. 3 is a block diagram illustrating components of a connection agent, according to example embodiments of the invention. -
FIG. 4 is a flow diagram illustrating operations for detecting, classifying, characterizing, and connecting to networks, according to some embodiments. -
FIG. 5 is a block diagram illustrating a graphical user interface, according to some embodiments of the invention. -
FIG. 6 is a flow diagram illustrating operations for classifying networks, according to some embodiments of the invention. -
FIG. 7 is a flow diagram illustrating operations for characterizing Wi-Fi networks, according to some embodiments of the invention. -
FIG. 8 is a flow diagram illustrating operations for characterizing a network based on network-layer interactions, according to some embodiments of the invention. -
FIG. 9 is a flow diagram illustrating operations for characterizing 3G networks, according to some embodiments of the invention. -
FIG. 10 is a flow diagram illustrating operations for characterizing 4G networks, according to some embodiments of the invention. -
FIG. 11 is a flow diagram illustrating operations for characterizing Ethernet and digital subscriber line (DSL) networks, according to some embodiments of the invention. -
FIG. 12 is a flow diagram illustrating operations for characterizing dial-up, GSM, ISDN, and PHS networks, according to some embodiments of the invention. - This document describes techniques for classifying and characterizing networks before connecting to the networks. This description of the embodiments is divided into four sections. The first section provides an introduction to some embodiments of the inventive subject matter, while the second section describes components included in some embodiments. The third section describes operations performed by some embodiments. The fourth section provides some general comments.
- Many computing devices (e.g., laptop computers, personal digital assistants, mobile media devices, etc.) connect to networks to access data, software, and services. These computing devices often include network connection agents that detect available networks, facilitate network selection, and connect to selected networks. During operation, connection agents may detect numerous networks available for connection. Some of the available networks may pose unacceptable security risks. For example, certain networks may be known for having poor security (e.g., allowing anyone to access the networks without authentication). In other instances, attackers may be operating imposter networks that appear to be known, safe networks. In reality, the imposter networks lure users to connect, so attackers can steal data, steal authentication information, destroy data, spread viruses, or perform other harmful operations.
- Some embodiments of the inventive subject matter enable computing devices to make informed decisions about whether to connect to available networks. In some instances, connection agents glean information about networks by probing the networks, but without connecting to the networks. For example, connection agents may perform operations to determine what authentication protocol is used by a network. Using the information gleaned from probing, the connection agents can avoid connecting to potentially harmful networks. For example, if a network's authentication protocol differs from an expected protocol, the connection agent can assume the network is unsafe, and thus avoid connecting to that network.
- Although probing has many benefits, some networks may interpret certain probing operations as potentially harmful. These networks may respond by taking remedial action, such as by locking-out devices performing suspicious probing. Because some probing can cause lock-outs and other undesired effects, embodiments of the connection agent can select probing operations that will not appear suspicious to networks (i.e., will not cause lock-outs or other conditions that limit or preclude connectivity). As a result, embodiments of the inventive subject matter reduce risks associated with network connectivity, while also avoiding problems associated with network probing. The following discussion of
FIG. 1 provides more detail about some embodiments. -
FIG. 1 is a conceptual diagram illustrating operations of a connection agent, according to some embodiments of the invention. InFIG. 1 , alaptop computer 102 includes a connection agent (not shown) capable of detecting networks that are available for connection. InFIG. 1 , the following networks are available: a Wi-Fi network, 3G network, and ISDN network. The laptop's connection agent can connect to these networks via a Wi-Fi access point 104, a3G access point 106, and anISDN network 108. - In
FIG. 1 , the operations occur in five stages. Atstage 1, the laptop's connection agent detects the Wi-Fi, 3G, and ISDN networks by interacting with theaccess points - At
stage 2, the connection agent classifies the networks based on provisioning information, and information in a venue cache. Provisioning information can include information that is known about the networks. For example, for a given Wi-Fi network, the provisioning information may indicate the Wi-Fi network's service set identifier (SSID), basic service set identifiers (BSSIDs) for Wi-Fi access points included in the Wi-Fi network, authentication credentials, expected authentication protocols, etc. The connection agent can classify networks by comparing information gleaned from the networks (e.g., SSID and BSSID) with provisioning information. In some instances, as a result of classification, the connection agent determines whether a network is known (e.g., identified in the provisioning), and whether the network is trusted. For example, the connection agent may detect the Wi-Fi network's SSID and BSSID, as the Wi-Fi access point 104 may periodically broadcast beacons including its SSID and BSSID. In turn, the connection agent can compare the SSID and BSSID with expected values in the provisioning information. If the SSID and BSSID match the provisioning information, the connection agent can classify the network as known and trusted. The connection agent's venue cache includes results from earlier classifications and characterizations. Thus, the connection agent can utilize information in the venue cache to speed-up classification and characterization. For example, if venue cache information indicates that the network's SSID and BSSID are associated with a known and trusted network, the connection agent may immediately connect to the network, skippingstages 3 & 4. Although these examples refer to SSIDs and BSSIDs, embodiments can perform classification using any suitable network information, as discussed in more detail below. - At
stage 3, the connection agent presents a list of networks it has detected. As shown, the connection agent can present the network list in agraphical user interface 110 appearing on thelaptop computer 102. Based on the classification (stage 2), thegraphical user interface 110 indicates that the Wi-Fi network, 3G network, and ISDN network are trusted networks. In some instances, a user can select any of the networks for connection. In other instances, fewer than all networks are selectable for connection (e.g., untrusted networks may not be selectable for connection). Also duringstage 3, the connection agent receives a network selection via thegraphical user interface 110. - During
stage 4, the connection agent characterizes the selected network by probing the network. As mentioned above, the connection agent can probe the network for information without creating a network connection. For example, the connection agent can probe the Wi-Fi network to determine its authentication protocol. If the network's SSID, BSSID, and authentication protocol match those stored in the provisioning information, the connection agent characterizes the network as known and trusted. Duringstage 5, the connection agent connects to the Wi-Fi network. - Because the connection agent can probe the network for information, and compare that information with provisioning information, the connection agent can reduce the risk of connecting to potentially harmful networks. The following discussion will provide more details about various embodiments of the inventive subject matter.
- This section describes an example operating environment and presents structural aspects of some embodiments. For example, this section includes discussion about connection agents, computing devices, and networks.
-
FIG. 2 is a block diagram illustrating a system in which connection agents connect computing devices to networks, according to some embodiments of the invention. InFIG. 2 , asystem 200 includescomputing devices 202, which includeconnection agents 204. Thesystem 200 also includes anaccess point 206,public telephone network 208, Internet service provider (ISP) 210,network 212, andenterprise servers 214. - During operation, the
connection agents 204 can connect thecomputing devices 202 to theISP 210, which in turn, connects the computing devices to theenterprise servers 214. TheISP 210 can also enable thecomputing devices 202 to communicate with devices on the Internet (not shown). - In some embodiments, the
computing devices 202 include desktop computers, notebook computers, tablet computers, personal digital assistants, mobile telephones, mobile media devices, etc. In other embodiments, one or more of thecomputing devices 202 can be embedded in other systems, such as automobiles, air craft, etc. The following discussion ofFIG. 3 provides more details about connection agents. -
FIG. 3 is a block diagram illustrating components of a connection agent, according to example embodiments of the invention. InFIG. 3 , theconnection agent 304 includes anevent unit 306,classification unit 308,characterization unit 310,connection unit 315, scoringunit 313, anddisplay unit 312. Theconnection agent 304 has access topolicies 314, provisioninginformation 316,certificates 318, avenue cache 320, and aresponse cache 322. - The
event unit 306 can detect network events that indicate the presence of available networks. Theclassification unit 304 can classify networks into categories (e.g., known and unknown) and classes (e.g. trusted, untrusted, semi-trusted, etc.). Theclassification unit 308 makes determinations about network trust levels based on theprovisioning information 316 and information received from networks. Thecharacterization unit 310 can probe networks to make further determinations about network trust levels. Thedisplay unit 312 can perform operations for interacting with users, such as determining which of the available networks to display to users, processing user input, etc. Thescoring unit 313 can determine a score for networks, where the scores are based on factors such as connection history, signal strength, network media type, etc. Theconnection unit 315 can connect thecomputing device 302 to networks. - In some instances, an enterprise provides the
connection agent 304 to its employees to facilitate secure network connectivity across a wide geographic area. For example, theconnection agent 304 can facilitate secure connectivity when employees connect at an enterprise campus, when employees are travel off campus, when employees are at their homes, etc. The enterprise's information technology administrators may configure thepolicies 314 so theconnection agent 304 operates at a risk level acceptable to the enterprise. Administrators and trusted parties outside the enterprise may provide theprovisioning information 318. Theconnection agent 304 uses theprovisioning information 318 to determine whether networks are trusted (e.g., by comparing information received from networks to the provisioning information 318). Theprovisioning information 318 includes information about known networks. For example, for a particular network, the provisioning information may indicate the network's identification information, authentication protocols, authentication credentials (e.g., passwords, certificates, etc.), access point locations (for wireless networks), dial-up telephone numbers (for dial-up networks), and other information useful for connecting to the network. The following lists show provisioning information for networks of different media types. -
- Wi-Fi Network—SSID, BSSID, capability flags, network mask, Gateway IP address, access method, trust level, category, etc.
- Ethernet Network—access method, network mask, gateway IP address, trust level, category, etc.
- 3G Network—trust level, category, carrier identifier, network identifier, network mask, access method, network type, mode (auto, manual), network attachment information (CID, network credentials), etc.
- 4G Network—trust level, category, SSID, carrier identifier, network identifier
- Dial-up Network—trust level, category, geographic context information, GeoContext including latitude and longitude plus geopolitical context (zip code, country, city, country, continent, etc.), etc.
- The provisioning information can include records for multiple networks of the same media type. In some embodiments, the
provisioning information 316 is organized into network directories (a.k.a. phonebooks). For example, theprovisioning information 316 may include three network directories: -
- Personal Directory—Entries in the personal directory include information about a user's personal-use networks that are not controlled by an enterprise. The user may trust networks in the personal directory.
- Campus Directory—Entries in the campus directory include information about networks controlled by an enterprise. Networks in the campus directory are trusted.
- Public Directory—Entries in the public directory include information about public networks that may be trusted.
- In some instances, all networks in a particular directory may have the same trust level. For example, all networks in the campus directory may have the highest trust level (e.g., because networks in the campus directory are controlled by the enterprise). In some embodiments, for each network represented in a network directory, there is a list of provisioning information. For example, a Wi-Fi network in the campus directory may have the following provisioning information: SSID, category, trust level, etc. The network directory in which a network is listed can affect how a network is scored and ranked (described below).
- The
classification unit 308 can use thevenue cache 320 to save time. Thevenue cache 320 stores authoritative network information collected during prior network connections. For example, thevenue cache 320 may associate a Wi-Fi network's MAC/BSSID combination with a trust level, based on a prior connection. If theclassification unit 308 encounters a network with a matching MAC/BSSID combination, it can resolve the MAC/BBSID combination to an initial trust level stored in thevenue cache 320. If theclassification unit 308 uses thevenue cache 320 to classify a network, it can mark a flag to indicate cache values were used to classify the network. If the network is later characterized using information obtained by probing the network, theconnection agent 304 updates the network's trust level, category (e.g., known or unknown), score (described below), ranking (described below), and other information. Updating may change the trust level, which may cause the connection agent to make the network inaccessible (e.g., if the updated trust level became untrusted). In some embodiments, entries in thevenue cache 320 may become invalid when a network is out of range for a given number of network scan cycles, when a link down event occurs, and when a network adapter is powered off. - The
characterization unit 310 can use theresult cache 322 to save time, such as by avoiding certain network probes. In some instances, network characterization entails an iterative process that repeats certain network probe operations. Thecharacterization unit 310 can store results of a network probe operation in theresult cache 322, and later use those cached results instead of repeating the probe operations. Entries in theresult cache 322 may become invalid for the following reasons: a corresponding network adapter is powered off or otherwise disabled, a network goes out of range or link down event occurs, an entry's time to live expires, and thecharacterization unit 310 forces a re-probe of the network. - Although not shown in
FIGS. 1-3 , the computing devices can include any suitable processors, memory devices, storage devices, display devices, application-specific integrated circuits, and other components for carrying out operations described herein. - The inventive subject matter can be embodied as systems, methods, or computer program products. Accordingly, aspects of the present inventive subject matter may take the form of entirely hardware embodiments, entirely software embodiments (e.g., including firmware, resident software, micro-code, etc.), or embodiments combining software and hardware. Furthermore, aspects of the inventive subject matter may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
- Any combination of one or more computer readable mediums may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a portable compact disc read-only memory (CD-ROM), and an optical storage device, a magnetic storage device. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
- A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
- Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
- This section describes operations performed by some embodiments of the invention. In the discussion below, the flow diagrams will be described with reference to the block diagrams presented above. In certain embodiments, the operations are performed by executing instructions residing on computer-readable media (e.g., software), while in other embodiments, the operations are performed by hardware and/or other components (e.g., firmware). In some embodiments, the operations are performed in series, while in other embodiments, one or more of the operations can be performed in parallel. Moreover, some embodiments perform less than all the operations shown in the flow diagrams.
- The following discussion of
FIGS. 4-6 describes operations for detecting, classifying, characterizing, and connecting to networks. -
FIG. 4 is a flow diagram illustrating operations for detecting, classifying, characterizing, and connecting to networks, according to some embodiments. In some embodiments, a connection agent performs the operations shown in theflow 400, which begins atblock 402. - At
block 402, a connection agent'sevent unit 306 detects network events. In some embodiments, theevent unit 306 registers to receive events from an operating system residing on thecomputing device 302. In some embodiments, after theconnection agent 304 launches into operation, it goes inactive until the operating system reports an event. The operating system can detect the events at network adapters and other peripheral devices, and report the events to theevent unit 306. The network events can indicate that networks are available, unavailable, or that network information has changed. The events can include Ethernet link-up events, detection of Wi-Fi beacons, changes to Wi-Fi signal strength, user input at peripheral devices, etc. The flow continues atblock 404. - At
block 404, theconnection agent 204 iteratively processes each of the network events by performing operations shown atblocks block 406, the connection agent'sclassification unit 308 classifies a network associated with the latest network event. Theclassification unit 308 can use information that was received from the network without probing the network. The type of information received from the network depends on the media type of the network detected. For example, for Wi-Fi networks, the connection agent may detect Wi-Fi beacons including SSIDs, BSSIDs, and other information. For 3G networks, the agent may detect a 3G network identifier. For dial-up networks, the connection agent may detect a signal (e.g., dial tone) or other information. Thus, after receiving information from/about the network, the connection agent knows the network's media type and other information (e.g., Wi-Fi SSID, 3G network identifier, etc.). - After receiving information from/about the network, the connection agent's
classification unit 308 compares the network information against information in theprovisioning information 316. For example, theclassification unit 308 compares the network information (e.g., {SSID, media type—Wi-Fi}) with the provisioning information, such as entries in the public, campus, and personal directories. If there is a match, the connection agent may make a preliminary determination that the network is known, and that the network has whatever trust level is indicated in the provisioning information (e.g., trust level=trusted). In some instances, instead of comparing against provisioning information, theclassification unit 308 matches the network information with information in thevenue cache 320. - At
block 406, in addition to classifying networks, theclassification unit 308 creates/maintains a network list including all available networks (i.e., networks detected at block 402). The network list is used later in theflow 400. The operation atblock 406 is described in greater detail inFIG. 6 , which shows how some embodiments classify networks.FIG. 6 will be discussed in detail below. The flow continues atblock 408. - At
block 408, theconnection agent 304 determines whether there are more network events for processing (i.e., events received at block 402). If there are more network events, the flow continues atblock 404. Otherwise, the flow continues atblock 410. - At
block 410, the connection agent scores each network in the network list. As noted in the discussion of network classification (block 406), theclassification unit 308 creates a network list including the networks it has classifies. The connection agent'sscoring unit 313 can determine a score for each network in the network list. In some embodiments, one or more of the following factors contribute to a network's score: -
- Network Media Type—The media type can be Wi-Fi, Ethernet, 3G, 4G, Dial-up, etc.
- Signal Strength—The signal strength typically refers to signal strength of wireless networks. However, signal strength may be relevant to some wired networks. The signal strength of a network may change. As a result, a network's score may change as signal strength increases and decreases.
- Connection History—Connection history may include information (e.g., records, statistics, etc.) about successful and failed attempts to connect to the network. The connection history may change, so the network's score may change as connection history changes.
- Provisioner Type—The provisioner type refers to the network directory in which the network is listed. Network directories can include a Public Directory, a Personal Directory, and a Campus directory.
- In some embodiments, each of the above-noted factors can be weighted, and then combined to constitute a network score for each network in the network list. Weights can be preset or adjustable. Some of the factors are included in the provisioning information 316 (e.g., provisioner type), whereas other factors are determined based on information received from the network (e.g., signal strength). Thus, at
block 410, the connection agent'sscoring unit 313 determines a network score for each network in the network list. The flow continues atblock 412. - At
block 412, the connection agent'sscore unit 313 ranks the network list based on the scores. For example, the network receiving the highest score may be the top-ranked network. The network rankings may descend along with network scores, where the second highest score has the second-highest rank, the third highest score has the third highest rank, and so on. In some instances, higher ranked networks are more trusted, have better signal strength, have fewer transmission errors, etc. Embodiments can employ any suitable ranking system. The flow continues at block 414. - At block 414, the connection agent's
display unit 312 creates a filtered network list. For example, the filtered list can include only networks that were classified as known and trusted. In some embodiments, thedisplay unit 312 does not filter the network list. The flow continues at block 416. - At block 416, the connection agent's
display unit 312 presents the network list in a graphical user interface.FIG. 5 is a block diagram illustrating a graphical user interface, according to some embodiments of the invention. As shown inFIG. 5 , the graphical user interface 500 presents the ranked network list. Additionally, the graphical user interface 500 indicates whether the networks are trusted, and a network media type (e.g., Wi-Fi). In some embodiments, users can select one of the networks in the graphical user interface 500. Referring back toFIG. 4 , the flow continues atblock 418. - At
block 418, theconnection agent 304 detects an event. The flow continues atblock 420. - At
block 420, the network agent determines whether the event is a network event or a user event. If the event is a network event, the flow continues atblock 406. If the flow continues atblock 406, the flow will not loop throughblocks block 408—the event detected atblock 418. Thus, after classifying the network associated with the network event (block 406), the flow will continue throughblock 408 to block 410. Atblock 410, the connection agent scores the network list and proceeds through theflow 400. - If the event is a user event, at
block 420, the flow continues at block 422. The user event represents user input selecting a network for connection from the graphical user interface 500. Although a user may want to connect to a selected network, theconnection agent 308 will not complete the connection unless it can verify more information about the network. That is, theagent 308 will not connect until it has more information corroborating trustworthiness of the network. - At block 422, the connection agent's
characterization unit 310 characterizes the selected network. The connection agent'scharacterization unit 310 characterizes the selected network by probing the network for information without establishing a network connection. For example, for Wi-Fi networks, thecharacterization unit 310 may determine that a Wi-Fi network's authentication protocol is 802.1x. The characterization unit 300 can probe the Wi-Fi network by sending an identification request to the network's 8021.X server, and receiving a response from the 8021.X server. If the 8021.X server's response matches provisioning information, thecharacterization unit 310 may characterize the network as known and trusted. By performing the operation at block 422 (i.e. characterization), theconnection agent 304 can make better decisions about whether a given network poses risks (e.g., viruses, data theft, etc.) without actually connecting to the network. - As noted above, some embodiments work for any suitable network media types, such as Ethernet networks, Wi-Fi networks, dial-up networks, etc. In some embodiments, the connection agent performs different operations for characterizing networks depending on network type. For example, operations for characterizing Wi-Fi networks may differ from operations for characterizing Ethernet networks. The discussion of
FIGS. 7-12 describes operations for characterizing different network types. The flow continues atblock 423. - At
block 423, the connection agent determines whether the characterization produced a match in provisioning information. If there is no match, the flow continues atblock 434. Otherwise, the flow continues atblock 424. - At
block 424, the connection agent'sconnection unit 315 determines whether the selected network appears safer as a result of characterization. That is, theconnection unit 315 compares results of classification with results of characterization. For example, classification operation (at block 406) may indicate that a network is known but untrusted. After theconnection agent 304 performs characterization (at block 422), the perceived trust level may increase (changing from trusted to untrusted), decrease (changing from trusted to untrusted), or remain the same. If the trust level is the same or increases, the flow continues atblock 426. If the trust level decreases, the flow continues atblock 432. - At
block 426, the connection agent'sconnection unit 315 connects to the network. By connecting, thecomputing device 302 can communicate with other devices on the network, such asenterprise servers 204, web servers, e-mail servers, etc. The flow continues atblock 428. - At
block 428, thecharacterization unit 310 updates thevenue cache 320 to include information learned from the characterization operation (at block 422). Such information may indicate that the network to which the connection agent is connected is known and trusted. The flow continues atblock 430. - At
block 430, thecharacterization unit 310 performs post-connection characterization. After connecting to the network, thecharacterization unit 310 can learn more about whether the network is authentic. For example, thecharacterization unit 310 can query theprovisioning information 316 to determine a list of devices (e.g., printers, storage devices, fax devices, etc.) that should be available on the network. If devices enumerated in theprovisioning information 316 are available, thecharacterization unit 310 has more evidence supporting its determination that the network should be trusted. However, if none of the devices are available, the characterization unit 300 and may perform additional tests, or it may downgrade the trust level. Additional post-connection tests can determine whether devices, services, protocols, etc. listed in theprovisioning information 316 are actually available on the network. Fromblock 430, the flow ends. - As noted above, at
block 424, if the network's trust level is less than expected, the flow continues atblock 432. Atblock 432, thecharacterization unit 310 updates thevenue cache 320 to include information learned from the characterization operation (at block 422). Such information may indicate that the network is known and untrusted. The flow continues atblock 434. - At
block 434, the connection agent'sconnection unit 315 refuses connection to the network. In some instances, theconnection agent 304 refuses to connect to a network because the network's trust level is untrusted, or otherwise has a lower trust level than needed for establishing a connection. Fromblock 434, the flow ends. - As mentioned above, embodiments of the connection agent perform operations for classifying networks. For example, in
FIG. 4 , a connection agent classifies a network atblock 406. The following discussion ofFIG. 6 provides details about how some embodiments may perform network classification. -
FIG. 6 is a flow diagram illustrating operations for classifying networks, according to some embodiments of the invention. Some embodiments may perform the operations ofFIG. 6 when performing the classification at FIG. 4'sblock 406. Just before FIG. 4'sblock 406, the connection agent detects one or more network events. Theflow 600 describes how some embodiments characterize networks by processing those network events. Atblock 602, the connection agent'sclassification unit 308 determines what type of network event was detected. In some embodiments, the network event can be one of three types: an add event, delete event, or update event. An add event indicates that a network is available and should be added to a list of available networks (i.e., the network list). A delete event indicates that a network is no longer available, so the network should be deleted from the network list. An update event indicates some information about the network has changed. If the event is an add event, the flow continues atblock 604. If the event is an update event, the flow continues atblock 614. If the event is a delete event, the flow continues atblock 616. - For an add event, at
block 604, theclassification unit 308 adds the network to a list of available networks (i.e., the network list). The flow continues atblock 606. - The add event indicates information about a network (i.e., the network from which the add event originated). For example, for a Wi-Fi network, the event can include information in a Wi-Fi beacon, such as SSID, BSSID, etc. For a 3G network, the event may include the 3G network's identifier. The event can include other information for networks of other media types. At
block 606, theclassification unit 308 compares this information with information in thevenue cache 320. If there is a match in the venue cache, the flow continues atblock 608. Atblock 608, theclassification unit 308 determines whether the network is known and trusted based on information in thevenue cache 320. Based on previous classifications and/or characterizations, thevenue cache 320 indicates a network category (e.g., known or unknown) and network trust level (e.g., trusted, untrusted, semi-trusted). Fromblock 608, the flow ends. - If there is not a match in the venue cache, the flow continues at
block 610. Atblock 610, theclassification unit 308 determines whether information about the network matches provisioning information, such as information in one of the network directories (a.k.a. phone books). If the information does not match provisioning information, the flow continues atblock 612, where theclassification unit 308 assigns the network category to be unknown, and the network trust level to be un-trusted. Fromblock 612, the flow ends. - At
block 610, if the information matches provisioning information, the flow continues atblock 618. Atblock 618, theclassification unit 308 assigns the network's category to be known, and the network's trust level to be a trust level indicated in the provisioning information (e.g., trusted). Fromblock 618, the flow ends. - Referring back to block 602, if the event is an update event, the flow continues at
block 614. Atblock 614, theclassification unit 308 updates information associated with the network. For example, the event may indicate a change in signal strength. Theclassification unit 308 records the signal strength change because such a change may affect scores and ranking. - At
block 602, if the network event is a delete event, the flow continues atblock 616. Atblock 616, theclassification unit 308 deletes the network from the network list. As a result, the network is no longer available for connection. Fromblock 616, the flow ends. - As noted above, network characterization is a process by which a connection agent compares information received from a network to provisioning information that describes a network. The following flow diagrams show how embodiments of the invention can employ different techniques of characterization for different network media. For example,
FIG. 7 describes operations for characterizing Wi-Fi networks, whereasFIG. 9 describes operations for classifying Ethernet networks. Additionally, FIGS. 8 & 10-12 include operations for characterizing other network media types. In some embodiments, when performing characterization at block 422 ofFIG. 4 , the connection agent performs one or more of the following flow diagrams. The discussion continues with a description of characterizing Wi-Fi networks. -
FIG. 7 is a flow diagram illustrating operations for characterizing Wi-Fi networks, according to some embodiments of the invention. InFIG. 7 , theflow 700 begins atblock 702, where a connection agent receives information about a Wi-Fi network. In some embodiments, the information is included in a network event, which is detected at FIG. 4'sblock 402. The information can originate from a Wi-Fi access point, and include an SSID, Wi-Fi beacon, media type indicator, etc. The connection agent uses this information to classify the network, as described below. The flow continues atblock 704. - At
block 704, the connection agent tries to match the network information received at 702 with provisioning information, such as the network directories. For example, the connection agent tries to match the network information (e.g., SSID, beacon, and media type) to entries in its public directory, private director, and campus directory. The flow continues atblock 706. - At
block 706, the connection agent determines whether the network information matches provisioning information. For example, the information (received at block 702) may match entries in the public directory, campus directory, and personal directory. In some instances, the network information matches entries in more than one directory. The connection agent creates a list including all the matching directory entries. If there is a match, the flow continues atblock 708, where the connection agent processes entries in the list. Otherwise, the flow ends. - At
block 708, the flow begins a loop that processes each matching entry in the list. For example, a first pass through the loop will process a list entry that matched in the public directory, whereas a second pass through the loop will process a match in the campus directory, and so on for all list entries. The flow continues atblock 710. - At
block 710, the connection agent determines an authentication method based on the matching provisioning information. For example, each entry in the list of matching directory entries indicates an authentication method employed by a network. The connection agent will probe the network to verify the authentication method. The connection agent probes in different ways depending on the authentication method. If the entry indicates that the network uses 8021.X, Wi-Fi Protected Access (WPA)+Temporal Key Integrity Protocol (TKIP), or WPA2+Advanced Encryption Standard (AES), the flow continues atblock 711. If the entry indicates that the network uses Wired Equivalent Privacy (WEP), the flow continues atblock 718. If the entry indicates that the network uses a pre-shared key (PSK) protocol, the flow continues atblock 720. If the entry indicates that the network is open (i.e., the network uses no authentication protocol), the flow continues atblock 722. - At
block 711, the connection agent probes the network's 8021.X device. For example, the connection agent sends an ID request to the 8021.X server and receives a response. The connection agent can store the response in a response cache (e.g., response cache 322). The connection agent can reuse this information in future iterations of the loop. For example, when processing another entry in the list, if entry's authentication protocol is 8021.X, the connection agent can skip block 711 by using results from the result cache. - At
block 712, the connection agent determines whether information included in the 8021.X server's response matches authentication information in the matching directory entry. If there is a match, the connection agent updates the list entry's network category to be known and its trust level to “trusted.” (Seeblock 714.) If there is no match, the connection agent updates the list entry's network category to be unknown and its trust level to untrusted. (Seeblock 716.) In theflow 700, theblocks block 728. - Referring back to block 710, if the authentication method is WEP, the flow continues at
block 718. Atblock 718, the connection agent associates with the network using a WEP key included in the provisioning information (e.g., the matching directory entry). The connection agent can store information about associating with the network in the result cache. The flow continues atblock 722. - Referring back to block 710, if the authentication method is a PSK protocol, the flow continues at
block 720. Atblock 720, the connection agent attempts to associate with the Wi-Fi network using a pre-shared key indicated in the provisioning information (e.g., the matching network directory entry). The connection agent can store information about associating with the network in the result cache. The flow continues atblock 722. - At
block 722, if the association attempt is successful (e.g., the Wi-Fi access point accepted the WEP key), the connection agent moves to block 726, where it performs more characterization at the network layer (i.e., layer 3) of the OSI stack. For more information about performing more characterization of the network layer, see the discussion ofFIG. 8 below. If the authentication is not successful, the connection agent moves to block 724, where it removes the network entry from the list of matching network entries. The flow continues atblock 728, where the connection agent determines whether there are more matching network entries to process. If so, theflow 700 loops back to 708. Otherwise, the flow ends. - As noted above, the network information received at
block 702 may match multiple entries in the network directories. Thus, the connection agent creates a list of matching entries, and then processes the list. After theflow 700, the list may include more than one entry. Thus, the connection agent may select and return one entry from the list, where the selected entry indicates a category and trust level for the network. The selection process can consider security policies and other factors. In some embodiments, the connection agent selects the list entry indicating the highest trust level (e.g., a network that is known and trusted). - As noted in the discussion of
FIG. 7 , block 722 performs characterization operations at layer 3 (i.e., the network layer) of the network.FIG. 8 describes how some embodiments may perform network-layer characterization. This discussion continues with a description ofFIG. 8 . -
FIG. 8 is a flow diagram illustrating operations for characterizing a network based on network-layer interactions, according to some embodiments of the invention. InFIG. 8 , aflow 800 begins atblock 802, where a connection agent (or another component) acquires an Internet Protocol (IP) address. The flow continues atblock 804. Although not shown, if the connection agent cannot acquire an IP address, the flow ends. - At
block 804, the connection agent probes a network server. For example, the connection agent sends an HTTP request to a known server, such as a server maintained by iPass, Inc. of Redwood City, Calif. In some embodiments, the server is guaranteed to be online and not cached. The flow continues atblock 806. - At
block 806, the connection agent determines whether the probe was redirected to a gateway. For example, the connection agent's HTTP request may have been redirected to a gateway that performs authentication before allowing access to the Internet. If the network probe was redirected, the flow continues atblock 808. Otherwise, the flow continues atblock 816. - At
block 808, after being redirected to a gateway, the connection agent determines whether the gateway supports Generic Interface Specification (GIS). In some instances, the connection agent and gateway exchange HTML documents. The connection agent can detect GIS support by detecting an HTML tag associated with GIS. If the gateway supports GIS, the flow continues atblock 810. If the gateway does not support GIS, the flow continues atblock 824. - At
block 810, the connection agent determines whether the gateway supports location discovery. Location discovery is a function by which the connection agent transmits a “dummy” authentication request to the gateway. The gateway responds to the dummy authentication request with location information, such as street address, company name, telephone number, or other information about the network and its location. If the gateway supports location discovery, the flow continues atblock 812. If the gateway does not support location discovery, the flow continues atblock 826. In yet another possibility, if the connection agent itself does not support location discovery, the flow continues atblock 824. - After determining that the gateway supports location discovery, the flow continues at
block 812. Atblock 812, the connection agent determines whether provisioning information indicates that the network is listed in the public directory, and that the network is GIS-enabled. If the provisioning information indicates the network is listed in the public directory and GIS-enabled, the flow continues atblock 814. Otherwise, the flow continues atblock 828. Atblock 814, the connection agent determines that the network is a trusted, public network. Atblock 828, the connection agent determines that the network is un-trusted and unknown. Fromblocks - As noted, if the connection agent itself does not support location discovery, the flow continues at
block 824. Atblock 824, the connection agent determines whether the network is listed in the personal directory, and the network's BSSID matches provisioning information. If not, the connection agent determines a network is unknown and un-trusted (see block 828). Otherwise, the flow continues atblock 820. Atblock 820, the connection agent determines whether the network's subnet mask and gateway IP address match provisioning information. If so, the connection agent assigns the category and trust level to be those indicated in the provisioning information (e.g., known and trusted) (see block 822). However, if the addresses do not match, the flow continues atblock 828, where the connection agent determines that the network is unknown and un-trusted. - Referring back to block 806, if the connection agent is not redirected to a gateway, the flow continues at
block 816. Atblock 816, the connection agent determines whether it has received content from the website that it probed. For example, the connection agent determines whether it has received content from the iPass website. If the connection agent received content from the website that it probed, the flow continues atblock 818. Atblock 818, the connection agent determines whether the network is not GIS-enabled and not click-through-enabled. If so, the flow continues atblock 828, where the connection agent determines a network is un-trusted and unknown. Otherwise, the flow continues at block 820 (see description ofblock 820 above). - Referring back to block 816, if the connection agent does not receive content from the website it probed at 804, the flow continues at
block 830. Atblock 830, the connection agent determines whether the website is click-through-enabled. If so, the flow continues atblock 820. Otherwise, the flow continues atblock 822. The operations atblocks - After completing the
flow 800, the connection agent has performed operations for characterizing the network based on interactions at the network layer. In some embodiments, the connection agent uses results from the network-layer characterization in other characterization flows, such as the flow for characterizing a Wi-Fi network (seeblock 722 ofFIG. 7 ). - This discussion continues with a description of operations for characterizing 3G and 4G networks.
-
FIG. 9 is a flow diagram illustrating operations for characterizing 3G networks, according to some embodiments of the invention. InFIG. 9 , aflow 900 begins atblock 902, where a connection agent detects 3G information for one or more 3G networks. The information can include a provider identifier, network identifier, etc. In some embodiments, the connection agent attempts to match the 3G information to entries in the public directory. The connection agent creates a list of one or more directory entries that match the 3G network information. The flow continues atblock 904. - At
block 904, the connection agent determines whether the computer's 3G adapter is configured to connect to a preselected 3G network. In some cases, 3G network providers configure 3G network adapters to automatically connect upon detecting the provider's 3G network identifier. Thus, when operational in the field, such adapters automatically connect to particular 3G networks. If the adapter is configured to connect to a pre-selected 3G network, the flow continues atblock 910. Atblock 910, the connection agent determines that the network to which the adapter connected is a public, trusted network. Thus, the connection agent modifies the list entry (i.e., the entry in the list created at block 902) to indicate that the 3G network is a public, trusted network. Fromblock 910, the flow ends. - However, if the adapter is not configured to automatically connect to a pre-selected 3G network, the flow continues at
block 906. Atblock 906, the connection agent determines whether the 3G information, received atblock 902, matches provisioning information. For example, for each entry in the list, the connection agent compares a provider identifier and network identifier to provisioning information. If the information matches, the connection agent determines the 3G network is a public, trusted network (see block 910). If the information does not match, the connection agent determines the 3G network is an unknown, untrusted network. - As noted above, the network information detected at
block 902 may match multiple entries in the public directory. Thus, the connection agent creates a list of matching entries, and then processes the list. After theflow 900, the list may include more than one entry. Thus, the connection agent may select and return one entry from the list, where the selected entry indicates a trust level and category for the network. In some embodiments, the trust level and category are used in theflow 400 ofFIG. 4 (e.g., at block 424). The selection process may consider security policies and other factors. In some embodiments, the connection agent selects the list entry having the highest trust level (e.g., a network that is known and trusted) and returns that list entry. The following flows can also make similar selections. -
FIG. 10 is a flow diagram illustrating operations for characterizing 4G networks, according to some embodiments of the invention. InFIG. 10 , the flow begins at block 1002, where the connection agent detects information about one or more 4G networks. In some embodiments, the 4G network information can include an SSID, network identifier, etc. the flow continues atblock 1004. - At
block 1004, the connection agent matches the 4G network information with provisioning information. In some embodiments, the connection agent compares the 4G information to the public directory. In turn, the connection agent creates a list of matching directory entries. The flow continues atblock 1006. - At
block 1006, the connection agent begins a loop in which it will process each matching entry in the list. The flow continues at block 1008, where the connection agent probes and 8021.X device. For example, the connection agent attempts to authenticate with an 8021.X server, using provisioning information (e.g., a password from the directory entry). The flow continues at block 1010. - At block 1010, the connection agent determines whether the authentication information was accepted by the 8021.X server. If so, the flow continues at block 1012. At block 1012, the connection agent determines that the network is a public, trusted network.
- If the authentication information was not accepted by the 8021.X server, the connection agent determines that the network is unknown and untrusted (see block 1016). From block 1016, the flow continues at
block 1014, where it ends if it has reached the end of the list of matching directory entries. If there are more matching directory entries to process, the flow continues atblock 1006. After performing theflow 1000, the connection agent can select one of the list entries to return, such as for processing in theflow 400 ofFIG. 4 . - In the discussion above, the flow diagrams describe receiving or detecting network information. For example, see the operations at
blocks 902 and 1002. For such operations, some embodiments receive/detect the network information by performing operations inFIG. 4 (e.g., at block 402). Other embodiments perform other operations to receive or detect the network information. - Thus far, the flow diagrams have described operations for characterizing wireless networks, such as Wi-Fi, 3G, and 4G. However, some embodiments can characterize wireless and wired networks. This discussion continues with a description of how some embodiments may characterize Ethernet networks and other wired networks.
-
FIG. 11 is a flow diagram illustrating operations for characterizing Ethernet and digital subscriber line (DSL) networks, according to some embodiments of the invention. InFIG. 11 , aflow 1100 begins atblock 1102, where a connection agent detects information about one or more Ethernet and DSL networks. The flow continues atblock 1104. - At
block 1104, the connection agent searches provisioning information for matching networks. For example, the connection agent may search the personal directory, campus directory, and public directory for network entries associated with Ethernet and DSL networks. In some instances, the connection agent looks for directory entries that have a media type of Ethernet (or DSL), and that support 8021.X or PPP. In turn, the connection agent creates a list of matching directory entries. The flow continues atblock 1106. - Beginning at
block 1106, theflow 1100 performs a loop that processes each of the matching directory entries in the list. The flow continues at block 1108. At block 1108, the connection agent determines, based on provisioning information, whether the network is expected to support 8021.X. If the network is expected to support 8021.X, the flow continues atblock 1112. Atblock 1112, the connection agent probes and 8021.X server to determine whether it will accept authentication credentials stored in the provisioning information. If the 8021.X accepts the credentials, the network's category and trust level are those indicated in the provisioning information (seeblocks 1120 and 1122). For example, if the matching directory entry indicates the network is public and trusted, the connection agent assigns the network's category to public and trust level to trusted. If the 8021.X server does not accept the authentication information, the connection agent assigns the network's trust level to untrusted and category to unknown (seeblocks 1120 and 1124).Blocks block 1126, which loops back to 1106 if there are more list entries to process. If there are no more list entries to process, the flow ends. - Referring back to block 1108, if the list entry indicates that the network employees PPP, the flow continues at
block 1116. Atblock 1116, if the network is a DSL network, the flow continues atblock 1118. Otherwise, the flow continues atblock 1100 work. Atblock 1118, the connection agent probes DSL network using authentication information in the matching list entry. If the network accepts the authentication information, the connection agent assigns the network's category and trust level based on what is in the provisioning information (i.e. the trust level and category noted in the matching list entry) (seeblocks 1120 and 1122). Otherwise, the connection agent assigns the network entry's category to unknown, and its trust level to untrusted (seeblocks 1120 and 1124). As noted above, blocks 1120 and 1124 continue atblock 1126.Block 1126 loops back to 1106 if there are more list entries to process. Otherwise theflow 1100. - Referring back to block 1108, if the list entry indicates that the network employs a protocol other than PPP, the flow continues at block 1114. At block 1114, the connection agent determines a network's trust level and category by interacting with the network at layer 3 (i.e., network layer). In some embodiments, the connection agent does this by performing the operations shown in
FIG. 8 . If the connection agent attemptslayer 3 operations but finds that no network is available (see block 1128), the connection agent removes the entry from the list of matching entries (see block 1130). Fromblock 1130, the flow continues atblock 1126. -
FIG. 12 is a flow diagram illustrating operations for characterizing dial-up, GSM, ISDN, and PHS networks, according to some embodiments of the invention. AlthoughFIG. 12 describes operations for a plurality of network media types, for clarity, the following discussion will only refer to dial-up networks. InFIG. 12 , aflow 1200 begins atblock 1202, where a connection agent detects information from a dial-up network. The connection agent may receive this information from a dial-up adapter. The information can includes geographical context information, such as latitude, longitude, altitude, zip code, county, country, city, state, continent, etc. In some embodiments, the geographical context information is received or otherwise determined by another device, such as a global positioning system device. The flow continues atblock 1204. - At
block 1204, the connection agent creates a list of networks that have matching provisioning information. For example, the connection agent searches the public directory and campus directory for entries whose media type is dial-up, and his geographic context matches that detected atblock 1202. Although not shown, if no directory entries match, the flow ends. Otherwise, the flow continues atblock 1206. - At
block 1206, theflow 1200 begins a loop for processing the matching directory entries. The flow continues atblock 1208, where the connection agent assigns a category and trust level based on provisioning information. For example if the matching entry indicates the dial-up network is public and trusted, the connection agent assigns the category and trust level as such. The flow continues atblock 1210. - At
block 1210, if the connection agent has processed all entries in the list, the flow ends. Otherwise the flow continues atblock 1206. - In the
FIGS. 7-12 , when the connection agent probes or otherwise interacts with a network, it can store the result in a result cache. If there are multiple directory matches, after probing for the first match, the connection agent can avoid interacting with the network by using information in the result cache. - This description describes numerous details about embodiments of the invention. However, some embodiments may be practiced without these specific details. In some instances, for sake of clarity, this description omits well-known circuits, structures and techniques. In this description, references to “one embodiment” or “an embodiment” mean that a feature is included in at least one embodiment of the invention. Furthermore, separate references to embodiments do not necessarily refer to the same embodiment. Thus, the present invention can include any combination of the embodiments described herein.
Claims (10)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/004,821 US9167053B2 (en) | 2005-09-29 | 2011-01-11 | Advanced network characterization |
US14/887,160 US9420045B2 (en) | 2005-09-29 | 2015-10-19 | Advanced network characterization |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/239,707 US9088627B2 (en) | 2005-09-29 | 2005-09-29 | System and method for actively characterizing a network |
US13/004,821 US9167053B2 (en) | 2005-09-29 | 2011-01-11 | Advanced network characterization |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/239,707 Continuation-In-Part US9088627B2 (en) | 2005-09-29 | 2005-09-29 | System and method for actively characterizing a network |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/887,160 Continuation US9420045B2 (en) | 2005-09-29 | 2015-10-19 | Advanced network characterization |
Publications (2)
Publication Number | Publication Date |
---|---|
US20110208866A1 true US20110208866A1 (en) | 2011-08-25 |
US9167053B2 US9167053B2 (en) | 2015-10-20 |
Family
ID=44477426
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/004,821 Active 2026-05-27 US9167053B2 (en) | 2005-09-29 | 2011-01-11 | Advanced network characterization |
US14/887,160 Active US9420045B2 (en) | 2005-09-29 | 2015-10-19 | Advanced network characterization |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/887,160 Active US9420045B2 (en) | 2005-09-29 | 2015-10-19 | Advanced network characterization |
Country Status (1)
Country | Link |
---|---|
US (2) | US9167053B2 (en) |
Cited By (60)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070073868A1 (en) * | 2005-09-29 | 2007-03-29 | Ipass Inc. | System and method for actively characterizing a network |
US20090323644A1 (en) * | 2006-02-17 | 2009-12-31 | Canon Kabushiki Kaisha | Communication apparatus, method and system |
US20110040867A1 (en) * | 2009-08-12 | 2011-02-17 | Cellco Partnership D/B/A Verizon Wireless | Mechanism to detect restricted access via internet hotspot |
US20120188876A1 (en) * | 2011-01-21 | 2012-07-26 | T-Mobile Usa, Inc. | Smart Connection Manager |
US20130166601A1 (en) * | 2010-04-30 | 2013-06-27 | Evan V. Chrapko | Systems and methods for conducting reliable assessments with connectivity information |
US20130203455A1 (en) * | 2010-12-06 | 2013-08-08 | Sony Corporation | Communication system and communication apparatus |
US20130269008A1 (en) * | 2012-04-04 | 2013-10-10 | Ming-Jye Sheu | Key assignment for a brand |
US8646074B1 (en) * | 2012-03-14 | 2014-02-04 | Symantec Corporation | Systems and methods for enabling otherwise unprotected computing devices to assess the reputations of wireless access points |
US20140075523A1 (en) * | 2012-09-10 | 2014-03-13 | Nokia Corporation | Method, apparatus, and computer program product for sharing wireless network credentials |
US8799993B1 (en) * | 2013-03-14 | 2014-08-05 | Vonage Network Llc | Method and apparatus for configuring communication parameters on a wireless device |
WO2014158917A1 (en) * | 2013-03-14 | 2014-10-02 | Qualcomm Incorporated | Selecting a network for a wireless device |
US9019165B2 (en) | 2004-08-18 | 2015-04-28 | Ruckus Wireless, Inc. | Antenna with selectable elements for use in wireless communications |
US9071583B2 (en) | 2006-04-24 | 2015-06-30 | Ruckus Wireless, Inc. | Provisioned configuration for automatic wireless connection |
US20150189511A1 (en) * | 2013-12-30 | 2015-07-02 | Anchorfree Inc | System and method for security and quality assessment of wireless access points |
US20150188940A1 (en) * | 2013-12-30 | 2015-07-02 | Anchorfree Inc | System and method for security and quality assessment of wireless access points |
US9093758B2 (en) | 2004-12-09 | 2015-07-28 | Ruckus Wireless, Inc. | Coverage antenna apparatus with selectable horizontal and vertical polarization elements |
US20150236939A1 (en) * | 2014-02-17 | 2015-08-20 | General Electric Company | Systems and methods for enhanced network identification |
US9131378B2 (en) | 2006-04-24 | 2015-09-08 | Ruckus Wireless, Inc. | Dynamic authentication in secured wireless networks |
US9191874B2 (en) | 2012-12-31 | 2015-11-17 | Ipass Inc. | Advanced network characterization and migration |
US20150341358A1 (en) * | 2014-05-26 | 2015-11-26 | Kaspersky Lab Zao | Method and system for determining trusted wireless access points |
EP2950591A1 (en) * | 2014-05-26 | 2015-12-02 | Kaspersky Lab, ZAO | Method and system for determining trusted wireless access points |
US9226146B2 (en) | 2012-02-09 | 2015-12-29 | Ruckus Wireless, Inc. | Dynamic PSK for hotspots |
US9270029B2 (en) | 2005-01-21 | 2016-02-23 | Ruckus Wireless, Inc. | Pattern shaping of RF emission patterns |
US9313798B2 (en) | 2005-12-01 | 2016-04-12 | Ruckus Wireless, Inc. | On-demand services by wireless base station virtualization |
US9369872B2 (en) | 2013-03-14 | 2016-06-14 | Vonage Business Inc. | Method and apparatus for configuring communication parameters on a wireless device |
US9379456B2 (en) | 2004-11-22 | 2016-06-28 | Ruckus Wireless, Inc. | Antenna array |
US9420045B2 (en) | 2005-09-29 | 2016-08-16 | Ipass Inc. | Advanced network characterization |
WO2016145881A1 (en) * | 2015-09-30 | 2016-09-22 | 中兴通讯股份有限公司 | Wireless fidelity network establishment method and device |
CN106211103A (en) * | 2016-09-29 | 2016-12-07 | 深圳市金立通信设备有限公司 | A kind of wireless network connection prompting method and terminal |
US9544798B1 (en) | 2015-07-23 | 2017-01-10 | Qualcomm Incorporated | Profiling rogue access points |
US20170085566A1 (en) * | 2015-09-18 | 2017-03-23 | Samsung Electronics Co., Ltd. | Electronic device and control method thereof |
US9634403B2 (en) | 2012-02-14 | 2017-04-25 | Ruckus Wireless, Inc. | Radio frequency emission pattern shaping |
CN106714172A (en) * | 2015-11-18 | 2017-05-24 | 中兴通讯股份有限公司 | WIFI hotspot processing method, device and system |
US9769655B2 (en) | 2006-04-24 | 2017-09-19 | Ruckus Wireless, Inc. | Sharing security keys with headless devices |
WO2017176068A1 (en) * | 2016-04-06 | 2017-10-12 | Samsung Electronics Co., Ltd. | System and method for validating authenticity of base station and/or information received from base station |
US9792188B2 (en) | 2011-05-01 | 2017-10-17 | Ruckus Wireless, Inc. | Remote cable access point reset |
US20180027079A1 (en) * | 2016-07-19 | 2018-01-25 | Telefonaktiebolaget Lm Ericsson (Publ) | Communication stack optimized per application without virtual machine overhead |
US10055466B2 (en) | 2016-02-29 | 2018-08-21 | Www.Trustscience.Com Inc. | Extrapolating trends in trust scores |
US20180241766A1 (en) * | 2015-08-27 | 2018-08-23 | Pcms Holdings, Inc. | Trustworthy cloud-based smart space rating with distributed data collection |
US10121115B2 (en) | 2016-03-24 | 2018-11-06 | Www.Trustscience.Com Inc. | Learning an entity's trust model and risk tolerance to calculate its risk-taking score |
US10127618B2 (en) | 2009-09-30 | 2018-11-13 | Www.Trustscience.Com Inc. | Determining connectivity within a community |
US10180969B2 (en) | 2017-03-22 | 2019-01-15 | Www.Trustscience.Com Inc. | Entity resolution and identity management in big, noisy, and/or unstructured data |
US10186750B2 (en) | 2012-02-14 | 2019-01-22 | Arris Enterprises Llc | Radio frequency antenna array with spacing element |
US10187277B2 (en) | 2009-10-23 | 2019-01-22 | Www.Trustscience.Com Inc. | Scoring using distributed database with encrypted communications for credit-granting and identification verification |
US10380703B2 (en) | 2015-03-20 | 2019-08-13 | Www.Trustscience.Com Inc. | Calculating a trust score |
US10772035B2 (en) * | 2018-10-24 | 2020-09-08 | Baidu Online Network Technology (Beijing) Co., Ltd. | Method and apparatus for generating information |
US10846121B2 (en) | 2016-03-18 | 2020-11-24 | Telefonaktiebolaget Lm Ericsson (Publ) | Using nano-services to secure multi-tenant networking in datacenters |
US20210029119A1 (en) * | 2016-03-28 | 2021-01-28 | Zscaler, Inc. | Cloud policy enforcement based on network trust |
US10908814B2 (en) * | 2012-06-21 | 2021-02-02 | Google Llc | Secure data entry via a virtual keyboard |
US11122037B2 (en) * | 2018-02-27 | 2021-09-14 | Bank Of America Corporation | Internet of things (“IoT”) protection retro-system |
US20220086153A1 (en) * | 2020-01-15 | 2022-03-17 | Worldpay Limited | Systems and methods for authenticating an electronic transaction using hosted authentication service |
US11386129B2 (en) | 2016-02-17 | 2022-07-12 | Www.Trustscience.Com Inc. | Searching for entities based on trust score and geography |
US11550713B1 (en) | 2020-11-25 | 2023-01-10 | Amazon Technologies, Inc. | Garbage collection in distributed systems using life cycled storage roots |
US11593270B1 (en) | 2020-11-25 | 2023-02-28 | Amazon Technologies, Inc. | Fast distributed caching using erasure coded object parts |
US11714682B1 (en) | 2020-03-03 | 2023-08-01 | Amazon Technologies, Inc. | Reclaiming computing resources in an on-demand code execution system |
US11714675B2 (en) | 2019-06-20 | 2023-08-01 | Amazon Technologies, Inc. | Virtualization-based transaction handling in an on-demand network code execution system |
US11836516B2 (en) | 2018-07-25 | 2023-12-05 | Amazon Technologies, Inc. | Reducing execution times in an on-demand network code execution system using saved machine states |
US11861386B1 (en) * | 2019-03-22 | 2024-01-02 | Amazon Technologies, Inc. | Application gateways in an on-demand network code execution system |
US11875173B2 (en) | 2018-06-25 | 2024-01-16 | Amazon Technologies, Inc. | Execution of auxiliary functions in an on-demand network code execution system |
US11943093B1 (en) | 2018-11-20 | 2024-03-26 | Amazon Technologies, Inc. | Network connection recovery after virtual machine transition in an on-demand network code execution system |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9942756B2 (en) * | 2014-07-17 | 2018-04-10 | Cirrent, Inc. | Securing credential distribution |
US10356651B2 (en) | 2014-07-17 | 2019-07-16 | Cirrent, Inc. | Controlled connection of a wireless device to a network |
US10834592B2 (en) | 2014-07-17 | 2020-11-10 | Cirrent, Inc. | Securing credential distribution |
US10154409B2 (en) | 2014-07-17 | 2018-12-11 | Cirrent, Inc. | Binding an authenticated user with a wireless device |
US10764944B2 (en) | 2016-11-30 | 2020-09-01 | At&T Mobility Ii Llc | Trust mode switching for wireless access points |
US10764755B2 (en) | 2017-09-07 | 2020-09-01 | 802 Secure, Inc. | Systems and methods for providing wireless access security by interrogation |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5774525A (en) * | 1995-01-23 | 1998-06-30 | International Business Machines Corporation | Method and apparatus utilizing dynamic questioning to provide secure access control |
US20020029276A1 (en) * | 2000-04-12 | 2002-03-07 | Samuel Bendinelli | Methods and systems for an extranet |
US6609198B1 (en) * | 1999-08-05 | 2003-08-19 | Sun Microsystems, Inc. | Log-on service providing credential level change without loss of session continuity |
US20030212909A1 (en) * | 2002-01-18 | 2003-11-13 | Lucent Technologies Inc. | Tool, method and apparatus for assessing network security |
US6892307B1 (en) * | 1999-08-05 | 2005-05-10 | Sun Microsystems, Inc. | Single sign-on framework with trust-level mapping to authentication requirements |
US20050177631A1 (en) * | 2004-02-06 | 2005-08-11 | Microsoft Corporation | Network DNA |
US20050207410A1 (en) * | 2004-03-19 | 2005-09-22 | Akshay Adhikari | Automatic determination of connectivity problem locations or other network-characterizing information in a network utilizing an encapsulation protocol |
US20060094400A1 (en) * | 2003-02-28 | 2006-05-04 | Brent Beachem | System and method for filtering access points presented to a user and locking onto an access point |
US20060117104A1 (en) * | 2004-09-17 | 2006-06-01 | Fujitsu Limited | Setting information distribution apparatus, method, program, and medium, authentication setting transfer apparatus, method, program, and medium, and setting information reception program |
US20060174035A1 (en) * | 2005-01-28 | 2006-08-03 | At&T Corp. | System, device, & method for applying COS policies |
US7213048B1 (en) * | 2000-04-05 | 2007-05-01 | Microsoft Corporation | Context aware computing devices and methods |
US7296288B1 (en) * | 2002-11-15 | 2007-11-13 | Packeteer, Inc. | Methods, apparatuses, and systems allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users |
US7805414B2 (en) * | 2004-12-10 | 2010-09-28 | Jean-Pierre Duplessis | Wireless network customization |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6742048B1 (en) * | 2000-07-10 | 2004-05-25 | Advanced Micro Devices, Inc. | Multilevel network for distributing trusted time and delegating levels of trust regarding timekeeping |
US7120129B2 (en) | 2001-03-13 | 2006-10-10 | Microsoft Corporation | System and method for achieving zero-configuration wireless computing and computing device incorporating same |
US8014305B1 (en) | 2001-09-07 | 2011-09-06 | Qualcomm Atheros, Inc. | Wireless LAN using transmission monitoring |
US20030206532A1 (en) | 2002-05-06 | 2003-11-06 | Extricom Ltd. | Collaboration between wireless lan access points |
US20050149948A1 (en) | 2003-12-30 | 2005-07-07 | Intel Corporation | System and method for monitoring and managing connection manager activity |
US7805140B2 (en) | 2005-02-18 | 2010-09-28 | Cisco Technology, Inc. | Pre-emptive roaming mechanism allowing for enhanced QoS in wireless network environments |
US20060230278A1 (en) * | 2005-03-30 | 2006-10-12 | Morris Robert P | Methods,systems, and computer program products for determining a trust indication associated with access to a communication network |
US7889663B1 (en) | 2005-07-12 | 2011-02-15 | Azimuth Systems, Inc. | Evaluation of handoff in wireless networks using emulation |
US9088627B2 (en) | 2005-09-29 | 2015-07-21 | Ipass Inc. | System and method for actively characterizing a network |
US9167053B2 (en) | 2005-09-29 | 2015-10-20 | Ipass Inc. | Advanced network characterization |
US9049651B2 (en) | 2006-08-25 | 2015-06-02 | Qualcomm Incorporated | Selection of an access point in a communications system |
US8605678B2 (en) | 2007-01-31 | 2013-12-10 | Broadcom Corporation | Anticipatory hand-off setup between networks |
US8577369B2 (en) | 2007-04-11 | 2013-11-05 | Apple, Inc. | Seamless and vertical call handoff solution architecture |
GB2449923B (en) | 2007-06-09 | 2011-09-28 | King's College London | Inter-working of networks |
KR100891757B1 (en) | 2007-07-26 | 2009-04-07 | 엘지노텔 주식회사 | Method and apparatus for providing neighborhood ap information in a wlan system |
US8364152B2 (en) | 2009-08-26 | 2013-01-29 | Samsung Electronics Co., Ltd. | Macrocell to Femtocell and Femtocell to Femtocell handoff |
US8724603B2 (en) | 2011-03-08 | 2014-05-13 | Blackberry Limited | Network access and a mobile station configured for the same |
US8879992B2 (en) | 2011-10-27 | 2014-11-04 | Nokia Corporation | Method, apparatus, and computer program product for discovery of wireless networks |
US9026099B2 (en) | 2011-12-08 | 2015-05-05 | Apple Inc. | Mechanisms to improve mobile device roaming in wireless networks |
US9191874B2 (en) | 2012-12-31 | 2015-11-17 | Ipass Inc. | Advanced network characterization and migration |
-
2011
- 2011-01-11 US US13/004,821 patent/US9167053B2/en active Active
-
2015
- 2015-10-19 US US14/887,160 patent/US9420045B2/en active Active
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5774525A (en) * | 1995-01-23 | 1998-06-30 | International Business Machines Corporation | Method and apparatus utilizing dynamic questioning to provide secure access control |
US6609198B1 (en) * | 1999-08-05 | 2003-08-19 | Sun Microsystems, Inc. | Log-on service providing credential level change without loss of session continuity |
US6892307B1 (en) * | 1999-08-05 | 2005-05-10 | Sun Microsystems, Inc. | Single sign-on framework with trust-level mapping to authentication requirements |
US7213048B1 (en) * | 2000-04-05 | 2007-05-01 | Microsoft Corporation | Context aware computing devices and methods |
US20020029276A1 (en) * | 2000-04-12 | 2002-03-07 | Samuel Bendinelli | Methods and systems for an extranet |
US20030212909A1 (en) * | 2002-01-18 | 2003-11-13 | Lucent Technologies Inc. | Tool, method and apparatus for assessing network security |
US7296288B1 (en) * | 2002-11-15 | 2007-11-13 | Packeteer, Inc. | Methods, apparatuses, and systems allowing for bandwidth management schemes responsive to utilization characteristics associated with individual users |
US20060094400A1 (en) * | 2003-02-28 | 2006-05-04 | Brent Beachem | System and method for filtering access points presented to a user and locking onto an access point |
US20050177631A1 (en) * | 2004-02-06 | 2005-08-11 | Microsoft Corporation | Network DNA |
US20050207410A1 (en) * | 2004-03-19 | 2005-09-22 | Akshay Adhikari | Automatic determination of connectivity problem locations or other network-characterizing information in a network utilizing an encapsulation protocol |
US20060117104A1 (en) * | 2004-09-17 | 2006-06-01 | Fujitsu Limited | Setting information distribution apparatus, method, program, and medium, authentication setting transfer apparatus, method, program, and medium, and setting information reception program |
US7805414B2 (en) * | 2004-12-10 | 2010-09-28 | Jean-Pierre Duplessis | Wireless network customization |
US20060174035A1 (en) * | 2005-01-28 | 2006-08-03 | At&T Corp. | System, device, & method for applying COS policies |
Non-Patent Citations (1)
Title |
---|
"Trusted Computing-Based Security Architecture For 4G Mobile Networks" - Zheng et al, MSR-Waypoint, 6/2005 http://msr-waypoint.com/en-us/people/yuzheng/trusted_computing-based_security_architecture_for_4g_mobile_netw.pdf * |
Cited By (105)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9019165B2 (en) | 2004-08-18 | 2015-04-28 | Ruckus Wireless, Inc. | Antenna with selectable elements for use in wireless communications |
US9837711B2 (en) | 2004-08-18 | 2017-12-05 | Ruckus Wireless, Inc. | Antenna with selectable elements for use in wireless communications |
US9379456B2 (en) | 2004-11-22 | 2016-06-28 | Ruckus Wireless, Inc. | Antenna array |
US9093758B2 (en) | 2004-12-09 | 2015-07-28 | Ruckus Wireless, Inc. | Coverage antenna apparatus with selectable horizontal and vertical polarization elements |
US10056693B2 (en) | 2005-01-21 | 2018-08-21 | Ruckus Wireless, Inc. | Pattern shaping of RF emission patterns |
US9270029B2 (en) | 2005-01-21 | 2016-02-23 | Ruckus Wireless, Inc. | Pattern shaping of RF emission patterns |
US9420045B2 (en) | 2005-09-29 | 2016-08-16 | Ipass Inc. | Advanced network characterization |
US9088627B2 (en) | 2005-09-29 | 2015-07-21 | Ipass Inc. | System and method for actively characterizing a network |
US20070073868A1 (en) * | 2005-09-29 | 2007-03-29 | Ipass Inc. | System and method for actively characterizing a network |
US9313798B2 (en) | 2005-12-01 | 2016-04-12 | Ruckus Wireless, Inc. | On-demand services by wireless base station virtualization |
US8953577B2 (en) * | 2006-02-17 | 2015-02-10 | Canon Kabushiki Kaisha | Communication apparatus, method and system |
US10645630B2 (en) | 2006-02-17 | 2020-05-05 | Canon Kabushiki Kaisha | Communication apparatus, method and system |
US9924440B2 (en) | 2006-02-17 | 2018-03-20 | Canon Kabushiki Kaisha | Communication apparatus, method and system |
US20090323644A1 (en) * | 2006-02-17 | 2009-12-31 | Canon Kabushiki Kaisha | Communication apparatus, method and system |
US9769655B2 (en) | 2006-04-24 | 2017-09-19 | Ruckus Wireless, Inc. | Sharing security keys with headless devices |
US9071583B2 (en) | 2006-04-24 | 2015-06-30 | Ruckus Wireless, Inc. | Provisioned configuration for automatic wireless connection |
US9131378B2 (en) | 2006-04-24 | 2015-09-08 | Ruckus Wireless, Inc. | Dynamic authentication in secured wireless networks |
US20110040867A1 (en) * | 2009-08-12 | 2011-02-17 | Cellco Partnership D/B/A Verizon Wireless | Mechanism to detect restricted access via internet hotspot |
US8131847B2 (en) * | 2009-08-12 | 2012-03-06 | Cellco Partnership | Mechanism to detect restricted access via internet hotspot |
US20120124209A1 (en) * | 2009-08-12 | 2012-05-17 | Cellco Partnership D/B/A Verizon Wireless | Mechanism to detect restricted access via internet hotspot |
US8296428B2 (en) * | 2009-08-12 | 2012-10-23 | Cellco Partnership | Mechanism to detect restricted access via internet hotspot |
US11323347B2 (en) | 2009-09-30 | 2022-05-03 | Www.Trustscience.Com Inc. | Systems and methods for social graph data analytics to determine connectivity within a community |
US10127618B2 (en) | 2009-09-30 | 2018-11-13 | Www.Trustscience.Com Inc. | Determining connectivity within a community |
US10187277B2 (en) | 2009-10-23 | 2019-01-22 | Www.Trustscience.Com Inc. | Scoring using distributed database with encrypted communications for credit-granting and identification verification |
US11665072B2 (en) | 2009-10-23 | 2023-05-30 | Www.Trustscience.Com Inc. | Parallel computational framework and application server for determining path connectivity |
US10812354B2 (en) | 2009-10-23 | 2020-10-20 | Www.Trustscience.Com Inc. | Parallel computational framework and application server for determining path connectivity |
US10348586B2 (en) | 2009-10-23 | 2019-07-09 | Www.Trustscience.Com Inc. | Parallel computatonal framework and application server for determining path connectivity |
US20130166601A1 (en) * | 2010-04-30 | 2013-06-27 | Evan V. Chrapko | Systems and methods for conducting reliable assessments with connectivity information |
US9922134B2 (en) * | 2010-04-30 | 2018-03-20 | Www.Trustscience.Com Inc. | Assessing and scoring people, businesses, places, things, and brands |
US20130203455A1 (en) * | 2010-12-06 | 2013-08-08 | Sony Corporation | Communication system and communication apparatus |
US9386399B2 (en) * | 2010-12-06 | 2016-07-05 | Sony Corporation | Method and system for connecting a communication apparatus to a network |
US8514717B2 (en) * | 2011-01-21 | 2013-08-20 | T-Mobile Usa, Inc. | Smart connection manager |
US20120188876A1 (en) * | 2011-01-21 | 2012-07-26 | T-Mobile Usa, Inc. | Smart Connection Manager |
US9591558B2 (en) * | 2011-01-21 | 2017-03-07 | T-Mobile Usa, Inc. | Smart connection manager |
US20150334640A1 (en) * | 2011-01-21 | 2015-11-19 | T-Mobile Usa, Inc. | Smart Connection Manager |
US20140050118A1 (en) * | 2011-01-21 | 2014-02-20 | T-Mobile Usa, Inc. | Smart Connection Manager |
US9107146B2 (en) * | 2011-01-21 | 2015-08-11 | T-Mobile Usa, Inc. | Smart connection manager |
US9792188B2 (en) | 2011-05-01 | 2017-10-17 | Ruckus Wireless, Inc. | Remote cable access point reset |
US9596605B2 (en) | 2012-02-09 | 2017-03-14 | Ruckus Wireless, Inc. | Dynamic PSK for hotspots |
US9226146B2 (en) | 2012-02-09 | 2015-12-29 | Ruckus Wireless, Inc. | Dynamic PSK for hotspots |
US10186750B2 (en) | 2012-02-14 | 2019-01-22 | Arris Enterprises Llc | Radio frequency antenna array with spacing element |
US9634403B2 (en) | 2012-02-14 | 2017-04-25 | Ruckus Wireless, Inc. | Radio frequency emission pattern shaping |
US10734737B2 (en) | 2012-02-14 | 2020-08-04 | Arris Enterprises Llc | Radio frequency emission pattern shaping |
US8646074B1 (en) * | 2012-03-14 | 2014-02-04 | Symantec Corporation | Systems and methods for enabling otherwise unprotected computing devices to assess the reputations of wireless access points |
US10182350B2 (en) | 2012-04-04 | 2019-01-15 | Arris Enterprises Llc | Key assignment for a brand |
US20130269008A1 (en) * | 2012-04-04 | 2013-10-10 | Ming-Jye Sheu | Key assignment for a brand |
US9092610B2 (en) * | 2012-04-04 | 2015-07-28 | Ruckus Wireless, Inc. | Key assignment for a brand |
US10908814B2 (en) * | 2012-06-21 | 2021-02-02 | Google Llc | Secure data entry via a virtual keyboard |
US11137909B2 (en) * | 2012-06-21 | 2021-10-05 | Google Llc | Secure data entry via a virtual keyboard |
US20140075523A1 (en) * | 2012-09-10 | 2014-03-13 | Nokia Corporation | Method, apparatus, and computer program product for sharing wireless network credentials |
US9191874B2 (en) | 2012-12-31 | 2015-11-17 | Ipass Inc. | Advanced network characterization and migration |
US9736748B1 (en) | 2012-12-31 | 2017-08-15 | Ipass Inc. | Advanced network characterization and migration |
US8799993B1 (en) * | 2013-03-14 | 2014-08-05 | Vonage Network Llc | Method and apparatus for configuring communication parameters on a wireless device |
US9955414B2 (en) | 2013-03-14 | 2018-04-24 | Qualcomm Incorporated | Selecting a network for a wireless device |
US9398525B2 (en) | 2013-03-14 | 2016-07-19 | Qualcomm Incorporated | Selecting a network for a wireless device |
WO2014158917A1 (en) * | 2013-03-14 | 2014-10-02 | Qualcomm Incorporated | Selecting a network for a wireless device |
US9369872B2 (en) | 2013-03-14 | 2016-06-14 | Vonage Business Inc. | Method and apparatus for configuring communication parameters on a wireless device |
KR101743187B1 (en) | 2013-03-14 | 2017-06-02 | 퀄컴 인코포레이티드 | Selecting a network for a wireless device |
US9686302B2 (en) * | 2013-12-30 | 2017-06-20 | Anchorfree, Inc. | System and method for security and quality assessment of wireless access points |
US20150189511A1 (en) * | 2013-12-30 | 2015-07-02 | Anchorfree Inc | System and method for security and quality assessment of wireless access points |
US9763099B2 (en) * | 2013-12-30 | 2017-09-12 | Anchorfree Inc. | System and method for security and quality assessment of wireless access points |
EP3090582A4 (en) * | 2013-12-30 | 2017-08-30 | Anchorfree Inc. | System and method for security and quality assessment of wireless access points |
US20150188940A1 (en) * | 2013-12-30 | 2015-07-02 | Anchorfree Inc | System and method for security and quality assessment of wireless access points |
US9455878B2 (en) * | 2014-02-17 | 2016-09-27 | Haier Us Appliance Solutions, Inc. | Systems and methods for enhanced network identification |
US20150236939A1 (en) * | 2014-02-17 | 2015-08-20 | General Electric Company | Systems and methods for enhanced network identification |
EP2950591A1 (en) * | 2014-05-26 | 2015-12-02 | Kaspersky Lab, ZAO | Method and system for determining trusted wireless access points |
US9742769B2 (en) * | 2014-05-26 | 2017-08-22 | AO Kaspersky Lab | Method and system for determining trusted wireless access points |
US20150341358A1 (en) * | 2014-05-26 | 2015-11-26 | Kaspersky Lab Zao | Method and system for determining trusted wireless access points |
US11900479B2 (en) | 2015-03-20 | 2024-02-13 | Www.Trustscience.Com Inc. | Calculating a trust score |
US10380703B2 (en) | 2015-03-20 | 2019-08-13 | Www.Trustscience.Com Inc. | Calculating a trust score |
US9544798B1 (en) | 2015-07-23 | 2017-01-10 | Qualcomm Incorporated | Profiling rogue access points |
WO2017014909A1 (en) * | 2015-07-23 | 2017-01-26 | Qualcomm Incorporated | Profiling rogue access points |
US20180241766A1 (en) * | 2015-08-27 | 2018-08-23 | Pcms Holdings, Inc. | Trustworthy cloud-based smart space rating with distributed data collection |
US20220329619A1 (en) * | 2015-08-27 | 2022-10-13 | Pcms Holdings, Inc. | Trustworthy cloud-based smart space rating with distributed data collection |
US11394737B2 (en) * | 2015-08-27 | 2022-07-19 | Pcms Holdings, Inc. | Trustworthy cloud-based smart space rating with distributed data collection |
US20170085566A1 (en) * | 2015-09-18 | 2017-03-23 | Samsung Electronics Co., Ltd. | Electronic device and control method thereof |
WO2016145881A1 (en) * | 2015-09-30 | 2016-09-22 | 中兴通讯股份有限公司 | Wireless fidelity network establishment method and device |
CN106714172A (en) * | 2015-11-18 | 2017-05-24 | 中兴通讯股份有限公司 | WIFI hotspot processing method, device and system |
US11386129B2 (en) | 2016-02-17 | 2022-07-12 | Www.Trustscience.Com Inc. | Searching for entities based on trust score and geography |
US11341145B2 (en) | 2016-02-29 | 2022-05-24 | Www.Trustscience.Com Inc. | Extrapolating trends in trust scores |
US10055466B2 (en) | 2016-02-29 | 2018-08-21 | Www.Trustscience.Com Inc. | Extrapolating trends in trust scores |
US10846121B2 (en) | 2016-03-18 | 2020-11-24 | Telefonaktiebolaget Lm Ericsson (Publ) | Using nano-services to secure multi-tenant networking in datacenters |
US10121115B2 (en) | 2016-03-24 | 2018-11-06 | Www.Trustscience.Com Inc. | Learning an entity's trust model and risk tolerance to calculate its risk-taking score |
US11640569B2 (en) | 2016-03-24 | 2023-05-02 | Www.Trustscience.Com Inc. | Learning an entity's trust model and risk tolerance to calculate its risk-taking score |
US20210029119A1 (en) * | 2016-03-28 | 2021-01-28 | Zscaler, Inc. | Cloud policy enforcement based on network trust |
US10306470B2 (en) | 2016-04-06 | 2019-05-28 | Samsung Electronics Co., Ltd. | System and method for validating authenticity of base station and/or information received from base station |
WO2017176068A1 (en) * | 2016-04-06 | 2017-10-12 | Samsung Electronics Co., Ltd. | System and method for validating authenticity of base station and/or information received from base station |
US10356182B2 (en) * | 2016-07-19 | 2019-07-16 | Telefonaktiebolaget Lm Ericsson (Publ) | Communication stack optimized per application without virtual machine overhead |
US20190173962A1 (en) * | 2016-07-19 | 2019-06-06 | Telefonaktiebolaget Lm Ericsson (Publ) | Communication stack optimized per application without virtual machine overhead |
US20180027079A1 (en) * | 2016-07-19 | 2018-01-25 | Telefonaktiebolaget Lm Ericsson (Publ) | Communication stack optimized per application without virtual machine overhead |
US10749966B2 (en) * | 2016-07-19 | 2020-08-18 | Telefonaktiebolaget Lm Ericsson (Publ) | Communication stack optimized per application without virtual machine overhead |
CN106211103A (en) * | 2016-09-29 | 2016-12-07 | 深圳市金立通信设备有限公司 | A kind of wireless network connection prompting method and terminal |
US10180969B2 (en) | 2017-03-22 | 2019-01-15 | Www.Trustscience.Com Inc. | Entity resolution and identity management in big, noisy, and/or unstructured data |
US11122037B2 (en) * | 2018-02-27 | 2021-09-14 | Bank Of America Corporation | Internet of things (“IoT”) protection retro-system |
US11875173B2 (en) | 2018-06-25 | 2024-01-16 | Amazon Technologies, Inc. | Execution of auxiliary functions in an on-demand network code execution system |
US11836516B2 (en) | 2018-07-25 | 2023-12-05 | Amazon Technologies, Inc. | Reducing execution times in an on-demand network code execution system using saved machine states |
US10772035B2 (en) * | 2018-10-24 | 2020-09-08 | Baidu Online Network Technology (Beijing) Co., Ltd. | Method and apparatus for generating information |
US11943093B1 (en) | 2018-11-20 | 2024-03-26 | Amazon Technologies, Inc. | Network connection recovery after virtual machine transition in an on-demand network code execution system |
US11861386B1 (en) * | 2019-03-22 | 2024-01-02 | Amazon Technologies, Inc. | Application gateways in an on-demand network code execution system |
US11714675B2 (en) | 2019-06-20 | 2023-08-01 | Amazon Technologies, Inc. | Virtualization-based transaction handling in an on-demand network code execution system |
US11909736B2 (en) * | 2020-01-15 | 2024-02-20 | Worldpay Limited | Systems and methods for authenticating an electronic transaction using hosted authentication service |
US20220086153A1 (en) * | 2020-01-15 | 2022-03-17 | Worldpay Limited | Systems and methods for authenticating an electronic transaction using hosted authentication service |
US11714682B1 (en) | 2020-03-03 | 2023-08-01 | Amazon Technologies, Inc. | Reclaiming computing resources in an on-demand code execution system |
US11593270B1 (en) | 2020-11-25 | 2023-02-28 | Amazon Technologies, Inc. | Fast distributed caching using erasure coded object parts |
US11550713B1 (en) | 2020-11-25 | 2023-01-10 | Amazon Technologies, Inc. | Garbage collection in distributed systems using life cycled storage roots |
Also Published As
Publication number | Publication date |
---|---|
US20160044113A1 (en) | 2016-02-11 |
US9167053B2 (en) | 2015-10-20 |
US9420045B2 (en) | 2016-08-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9420045B2 (en) | Advanced network characterization | |
US9913303B2 (en) | Systems and methods for network curation | |
US8743778B2 (en) | Systems and methods for obtaining network credentials | |
US8194589B2 (en) | Systems and methods for wireless network selection based on attributes stored in a network database | |
RU2546610C1 (en) | Method of determining unsafe wireless access point | |
US9326138B2 (en) | Systems and methods for determining location over a network | |
US8554830B2 (en) | Systems and methods for wireless network selection | |
EP1934795B1 (en) | Actively characterizing a network | |
US20060265737A1 (en) | Methods, systems, and computer program products for providing trusted access to a communicaiton network based on location | |
US20060230279A1 (en) | Methods, systems, and computer program products for establishing trusted access to a communication network | |
JP5497646B2 (en) | System and method for wireless network selection | |
US20130019298A1 (en) | Method and system for authenticating a point of access | |
US20050260973A1 (en) | Wireless manager and method for managing wireless devices | |
US20060230278A1 (en) | Methods,systems, and computer program products for determining a trust indication associated with access to a communication network | |
EP2446347A1 (en) | Systems and methods for obtaining network credentials | |
CN106412901A (en) | Network-loitering prevention wireless routing method and system | |
US11336621B2 (en) | WiFiwall | |
Chatzisofroniou et al. | Association attacks in ieee 802.11: Exploiting wifi usability features | |
CN107040930B (en) | Method and system for preventing STA from associating illegal AP | |
CA2815923A1 (en) | Location aware data network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: IPASS INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MARMOLEJO-MEILLON, LUIS G.;NELSON, BARBARA;REEL/FRAME:025699/0030 Effective date: 20110124 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: FORTRESS CREDIT CORP., NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:IPASS INC.;REEL/FRAME:046094/0323 Effective date: 20180614 |
|
AS | Assignment |
Owner name: IPASS IP LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:IPASS INC.;REEL/FRAME:046148/0555 Effective date: 20180619 |
|
AS | Assignment |
Owner name: FIP UST LP, NEW YORK Free format text: SECURITY INTEREST;ASSIGNORS:IPASS INC.;IPASS IP LLC;REEL/FRAME:046170/0457 Effective date: 20180621 Owner name: FORTRESS CREDIT CORP., NEW YORK Free format text: SECURITY INTEREST;ASSIGNORS:IPASS INC.;IPASS IP LLC;REEL/FRAME:046170/0457 Effective date: 20180621 Owner name: DBD CREDIT FUNDING LLC, NEW YORK Free format text: SECURITY INTEREST;ASSIGNORS:IPASS INC.;IPASS IP LLC;REEL/FRAME:046170/0457 Effective date: 20180621 |
|
AS | Assignment |
Owner name: POST ROAD ADMINISTRATIVE LLC, CONNECTICUT Free format text: SECURITY INTEREST;ASSIGNOR:IPASS IP LLC;REEL/FRAME:048462/0641 Effective date: 20190226 |
|
AS | Assignment |
Owner name: IPASS INC., CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:FORTRESS CREDIT CORP.;REEL/FRAME:048503/0518 Effective date: 20190222 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
AS | Assignment |
Owner name: IPASS IP LLC, CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:POST ROAD ADMINISTRATIVE LLC;REEL/FRAME:052525/0357 Effective date: 20190926 |
|
AS | Assignment |
Owner name: IPASS IP LLC, CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNORS:FIP UST LP;DBD CREDIT FUNDING, LLC;REEL/FRAME:052564/0488 Effective date: 20190222 Owner name: IPASS INC., CALIFORNIA Free format text: RELEASE BY SECURED PARTY;ASSIGNORS:FIP UST LP;DBD CREDIT FUNDING, LLC;REEL/FRAME:052564/0488 Effective date: 20190222 |
|
AS | Assignment |
Owner name: HIGH TRAIL INVESTMENTS SA LLC, AS COLLATERAL AGENT, NEW JERSEY Free format text: INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:IPASS IP LLC;REEL/FRAME:052888/0728 Effective date: 20200608 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
AS | Assignment |
Owner name: CHANNEL VENTURES GROUP, LLC, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:PARETEUM CORPORATION;PARETEUM NORTH AMERICA CORPORATION;DEVICESCAPE HOLDINGS, INC.;AND OTHERS;REEL/FRAME:063988/0501 Effective date: 20220711 |
|
AS | Assignment |
Owner name: CHANNEL IP B.V., NETHERLANDS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CHANNEL VENTURES GROUP, LLC;REEL/FRAME:064180/0440 Effective date: 20230526 |